AWS IAM Login Profile Added for Root

Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary access to the root account, may add a login profile to the root user account to maintain access even if the original access key is rotated or disabled.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/12/02"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "ES|QL available in technical preview."
  6min_stack_version = "8.13.0"
  7updated_date = "2025/01/10"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary
 13access to the root account, may add a login profile to the root user account to maintain access even if the original
 14access key is rotated or disabled.
 15"""
 16from = "now-9m"
 17language = "esql"
 18license = "Elastic License v2"
 19name = "AWS IAM Login Profile Added for Root"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating AWS IAM Login Profile Added for Root
 26
 27AWS IAM allows management of user access and permissions within AWS environments. A login profile enables console access using a password. Adversaries may exploit temporary root access to create a login profile, ensuring persistent access even if keys are rotated. The detection rule identifies such actions by monitoring specific API calls and conditions, flagging unauthorized profile additions to root accounts.
 28
 29### Possible investigation steps
 30
 31- Review the @timestamp field to determine when the CreateLoginProfile action occurred and correlate it with any other suspicious activities around the same time.
 32- Examine the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify the specific root account and access key involved in the action.
 33- Investigate the source.address field to trace the IP address from which the CreateLoginProfile request originated, checking for any unusual or unauthorized locations.
 34- Analyze the aws.cloudtrail.request_parameters and aws.cloudtrail.response_elements fields to understand the specifics of the login profile creation and verify if any unexpected parameters were used.
 35- Check the cloud.account.id to confirm which AWS account was affected and assess if there are any other security incidents or alerts associated with this account.
 36- Review the event.action field to ensure that no other unauthorized actions were performed by the root account around the same time.
 37
 38### False positive analysis
 39
 40- Administrative actions by trusted personnel may trigger the rule if they are performing legitimate maintenance or security tasks. To manage this, create exceptions for known administrative accounts by filtering their access key IDs.
 41- Automated scripts or tools used for account management might inadvertently match the rule's conditions. Identify these scripts and exclude their specific access key IDs or user agents from the detection criteria.
 42- Testing environments where root access is used for simulation or development purposes can cause false positives. Implement a tagging system for test environments and exclude logs with these tags from triggering the rule.
 43- Third-party integrations that require root access for initial setup or configuration might be flagged. Document these integrations and adjust the rule to recognize and exclude their specific access patterns.
 44
 45### Response and remediation
 46
 47- Immediately revoke any active sessions and access keys associated with the root account to prevent further unauthorized access.
 48- Reset the root account password and ensure that multi-factor authentication (MFA) is enabled for the root user to enhance security.
 49- Review AWS CloudTrail logs to identify any other suspicious activities or changes made by the root account during the time of the incident.
 50- Conduct a thorough audit of IAM policies and permissions to ensure that no other unauthorized changes have been made and that least privilege principles are enforced.
 51- Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure awareness across the organization.
 52- Implement additional monitoring and alerting for root account activities to detect any future unauthorized access attempts promptly.
 53- Consider engaging AWS Support or a third-party security expert if the incident's scope is beyond internal capabilities or if further forensic analysis is required.
 54
 55## Investigating AWS IAM Login Profile Added for Root
 56
 57This rule detects when a login profile is added to the AWS root account. Adding a login profile to the root account, especially if self-assigned, is highly suspicious as it might indicate an adversary trying to establish persistence in the environment.
 58
 59### Possible Investigation Steps
 60
 61- **Identify the Source and Context of the Action**:
 62    - Examine the `source.address` field to identify the IP address from which the request originated.
 63        - Check the geographic location (`source.address`) to determine if the access is from an expected or unexpected region.
 64    - Look at the `user_agent.original` field to identify the tool or browser used for this action.
 65        - For example, a user agent like `Mozilla/5.0` might indicate interactive access, whereas `aws-cli` or SDKs suggest scripted activity.
 66
 67- **Confirm Root User and Request Details**:
 68    - Validate the root user's identity through `aws.cloudtrail.user_identity.arn` and ensure this activity aligns with legitimate administrative actions.
 69    - Review `aws.cloudtrail.user_identity.access_key_id` to identify if the action was performed using temporary or permanent credentials. This access key could be used to pivot into other actions.
 70
 71- **Analyze the Login Profile Creation**:
 72    - Review the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields for details of the created login profile.
 73        - For example, confirm the `userName` of the profile and whether `passwordResetRequired` is set to `true`.
 74    - Compare the `@timestamp` of this event with other recent actions by the root account to identify potential privilege escalation or abuse.
 75
 76- **Correlate with Other Events**:
 77    - Investigate for related IAM activities, such as:
 78        - `CreateAccessKey` or `AttachUserPolicy` events targeting the root account.
 79        - Unusual data access, privilege escalation, or management console logins.
 80    - Check for any anomalies involving the same `source.address` or `aws.cloudtrail.user_identity.access_key_id` in the environment.
 81
 82- **Evaluate Policy and Permissions**:
 83    - Verify the current security policies for the root account:
 84        - Ensure password policies enforce complexity and rotation requirements.
 85        - Check if MFA is enforced on the root account.
 86    - Assess the broader IAM configuration for deviations from least privilege principles.
 87
 88### False Positive Analysis
 89
 90- **Routine Administrative Tasks**: Adding a login profile might be a legitimate action during certain administrative processes. Verify with the relevant AWS administrators if this event aligns with routine account maintenance or emergency recovery scenarios.
 91
 92- **Automation**: If the action is part of an approved automation process (e.g., account recovery workflows), consider excluding these activities from alerting using specific user agents, IP addresses, or session attributes.
 93
 94### Response and Remediation
 95
 96- **Immediate Access Review**:
 97    - Disable the newly created login profile (`aws iam delete-login-profile`) if it is determined to be unauthorized.
 98    - Rotate or disable the credentials associated with the root account to prevent further abuse.
 99
100- **Enhance Monitoring and Alerts**:
101    - Enable real-time monitoring and alerting for IAM actions involving the root account.
102    - Increase the logging verbosity for root account activities.
103
104- **Review and Update Security Policies**:
105    - Enforce MFA for all administrative actions, including root account usage.
106    - Restrict programmatic access to the root account by disabling access keys unless absolutely necessary.
107
108- **Conduct Post-Incident Analysis**:
109    - Investigate how the credentials for the root account were compromised or misused.
110    - Strengthen the security posture by implementing account-specific guardrails and continuous monitoring.
111
112### Additional Resources
113
114- AWS documentation on [Login Profile Management](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html).
115"""
116risk_score = 73
117rule_id = "c04be7e0-b0fc-11ef-a826-f661ea17fbce"
118severity = "high"
119tags = [
120    "Domain: Cloud",
121    "Data Source: AWS",
122    "Data Source: Amazon Web Services",
123    "Data Source: AWS IAM",
124    "Use Case: Identity and Access Audit",
125    "Tactic: Persistence",
126    "Resources: Investigation Guide",
127]
128timestamp_override = "event.ingested"
129type = "esql"
130
131query = '''
132from logs-aws.cloudtrail* metadata _id, _version, _index
133| where
134    // filter for CloudTrail logs from IAM
135    event.dataset == "aws.cloudtrail"
136    and event.provider == "iam.amazonaws.com"
137
138    // filter for successful CreateLoginProfile API call
139    and event.action == "CreateLoginProfile"
140    and event.outcome == "success"
141
142    // filter for Root member account
143    and aws.cloudtrail.user_identity.type == "Root"
144
145    // filter for an access key existing which sources from AssumeRoot
146    and aws.cloudtrail.user_identity.access_key_id IS NOT NULL
147
148    // filter on the request parameters not including UserName which assumes self-assignment
149    and NOT TO_LOWER(aws.cloudtrail.request_parameters) LIKE "*username*"
150| keep
151    @timestamp,
152    aws.cloudtrail.request_parameters,
153    aws.cloudtrail.response_elements,
154    aws.cloudtrail.user_identity.type,
155    aws.cloudtrail.user_identity.arn,
156    aws.cloudtrail.user_identity.access_key_id,
157    cloud.account.id,
158    event.action,
159    source.address
160'''
161
162
163[[rule.threat]]
164framework = "MITRE ATT&CK"
165[[rule.threat.technique]]
166id = "T1078"
167name = "Valid Accounts"
168reference = "https://attack.mitre.org/techniques/T1078/"
169[[rule.threat.technique.subtechnique]]
170id = "T1078.004"
171name = "Cloud Accounts"
172reference = "https://attack.mitre.org/techniques/T1078/004/"
173
174
175[[rule.threat.technique]]
176id = "T1098"
177name = "Account Manipulation"
178reference = "https://attack.mitre.org/techniques/T1098/"
179
180
181[rule.threat.tactic]
182id = "TA0003"
183name = "Persistence"
184reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating AWS IAM Login Profile Added for Root

AWS IAM allows management of user access and permissions within AWS environments. A login profile enables console access using a password. Adversaries may exploit temporary root access to create a login profile, ensuring persistent access even if keys are rotated. The detection rule identifies such actions by monitoring specific API calls and conditions, flagging unauthorized profile additions to root accounts.

Possible investigation steps

  • Review the @timestamp field to determine when the CreateLoginProfile action occurred and correlate it with any other suspicious activities around the same time.
  • Examine the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify the specific root account and access key involved in the action.
  • Investigate the source.address field to trace the IP address from which the CreateLoginProfile request originated, checking for any unusual or unauthorized locations.
  • Analyze the aws.cloudtrail.request_parameters and aws.cloudtrail.response_elements fields to understand the specifics of the login profile creation and verify if any unexpected parameters were used.
  • Check the cloud.account.id to confirm which AWS account was affected and assess if there are any other security incidents or alerts associated with this account.
  • Review the event.action field to ensure that no other unauthorized actions were performed by the root account around the same time.

False positive analysis

  • Administrative actions by trusted personnel may trigger the rule if they are performing legitimate maintenance or security tasks. To manage this, create exceptions for known administrative accounts by filtering their access key IDs.
  • Automated scripts or tools used for account management might inadvertently match the rule's conditions. Identify these scripts and exclude their specific access key IDs or user agents from the detection criteria.
  • Testing environments where root access is used for simulation or development purposes can cause false positives. Implement a tagging system for test environments and exclude logs with these tags from triggering the rule.
  • Third-party integrations that require root access for initial setup or configuration might be flagged. Document these integrations and adjust the rule to recognize and exclude their specific access patterns.

Response and remediation

  • Immediately revoke any active sessions and access keys associated with the root account to prevent further unauthorized access.
  • Reset the root account password and ensure that multi-factor authentication (MFA) is enabled for the root user to enhance security.
  • Review AWS CloudTrail logs to identify any other suspicious activities or changes made by the root account during the time of the incident.
  • Conduct a thorough audit of IAM policies and permissions to ensure that no other unauthorized changes have been made and that least privilege principles are enforced.
  • Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure awareness across the organization.
  • Implement additional monitoring and alerting for root account activities to detect any future unauthorized access attempts promptly.
  • Consider engaging AWS Support or a third-party security expert if the incident's scope is beyond internal capabilities or if further forensic analysis is required.

Investigating AWS IAM Login Profile Added for Root

This rule detects when a login profile is added to the AWS root account. Adding a login profile to the root account, especially if self-assigned, is highly suspicious as it might indicate an adversary trying to establish persistence in the environment.

Possible Investigation Steps

  • Identify the Source and Context of the Action:

    • Examine the source.address field to identify the IP address from which the request originated.
      • Check the geographic location (source.address) to determine if the access is from an expected or unexpected region.
    • Look at the user_agent.original field to identify the tool or browser used for this action.
      • For example, a user agent like Mozilla/5.0 might indicate interactive access, whereas aws-cli or SDKs suggest scripted activity.
  • Confirm Root User and Request Details:

    • Validate the root user's identity through aws.cloudtrail.user_identity.arn and ensure this activity aligns with legitimate administrative actions.
    • Review aws.cloudtrail.user_identity.access_key_id to identify if the action was performed using temporary or permanent credentials. This access key could be used to pivot into other actions.
  • Analyze the Login Profile Creation:

    • Review the aws.cloudtrail.request_parameters and aws.cloudtrail.response_elements fields for details of the created login profile.
      • For example, confirm the userName of the profile and whether passwordResetRequired is set to true.
    • Compare the @timestamp of this event with other recent actions by the root account to identify potential privilege escalation or abuse.
  • Correlate with Other Events:

    • Investigate for related IAM activities, such as:
      • CreateAccessKey or AttachUserPolicy events targeting the root account.
      • Unusual data access, privilege escalation, or management console logins.
    • Check for any anomalies involving the same source.address or aws.cloudtrail.user_identity.access_key_id in the environment.
  • Evaluate Policy and Permissions:

    • Verify the current security policies for the root account:
      • Ensure password policies enforce complexity and rotation requirements.
      • Check if MFA is enforced on the root account.
    • Assess the broader IAM configuration for deviations from least privilege principles.

False Positive Analysis

  • Routine Administrative Tasks: Adding a login profile might be a legitimate action during certain administrative processes. Verify with the relevant AWS administrators if this event aligns with routine account maintenance or emergency recovery scenarios.

  • Automation: If the action is part of an approved automation process (e.g., account recovery workflows), consider excluding these activities from alerting using specific user agents, IP addresses, or session attributes.

Response and Remediation

  • Immediate Access Review:

    • Disable the newly created login profile (aws iam delete-login-profile) if it is determined to be unauthorized.
    • Rotate or disable the credentials associated with the root account to prevent further abuse.
  • Enhance Monitoring and Alerts:

    • Enable real-time monitoring and alerting for IAM actions involving the root account.
    • Increase the logging verbosity for root account activities.
  • Review and Update Security Policies:

    • Enforce MFA for all administrative actions, including root account usage.
    • Restrict programmatic access to the root account by disabling access keys unless absolutely necessary.
  • Conduct Post-Incident Analysis:

    • Investigate how the credentials for the root account were compromised or misused.
    • Strengthen the security posture by implementing account-specific guardrails and continuous monitoring.

Additional Resources

Related rules

to-top