AWS IAM Roles Anywhere Profile Creation

  1[metadata]
  2creation_date = "2024/04/20"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the creation of a new AWS IAM Roles Anywhere profile. Roles Anywhere allows workloads or external systems to
 11assume IAM roles from outside AWS by authenticating via trusted certificate authorities (trust anchors). Adversaries who
 12have established persistence through a rogue trust anchor may create or modify profiles to link them with highly
 13privileged roles, enabling long-term external access to the AWS environment. This rule identifies successful
 14"CreateProfile" API calls and helps detect potentially unauthorized or risky external access configurations.
 15"""
 16false_positives = [
 17    """
 18    AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any
 19    location. Ensure that the profile created is expected and that the trust policy is configured securely.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS IAM Roles Anywhere Profile Creation"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 31> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 32
 33### Investigating AWS IAM Roles Anywhere Profile Creation
 34
 35AWS IAM Roles Anywhere allows external workloads — such as CI/CD runners, on-premises systems, or third-party services — 
 36to assume IAM roles securely by presenting a certificate from a trusted anchor. A profile defines the IAM roles that 
 37can be assumed, the trust anchor they are associated with, and session duration limits.
 38
 39This rule detects when a new Roles Anywhere profile is created using the `CreateProfile` API call. Unauthorized profile 
 40creation can enable persistent external access if tied to over-privileged roles or to trust anchors associated with 
 41unauthorized certificate authorities (CAs). Monitoring profile creation is crucial to ensuring that only approved roles 
 42and anchors are in use.
 43
 44#### Possible investigation steps
 45
 46- **Identify the actor**
 47  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine 
 48    which IAM user, role, or principal created the profile.
 49  - Check whether this identity normally manages Roles Anywhere configurations.
 50
 51- **Review profile configuration**
 52  - Inspect `aws.cloudtrail.request_parameters` for key values such as:
 53    - `profileName`
 54    - `roleArns` – confirm that the listed IAM roles are expected and not overly permissive.
 55    - `trustAnchorArn` – verify the trust anchor is valid and authorized.
 56    - `durationSeconds` – check for unusually long session durations.
 57  - Determine if multiple roles were attached, which may indicate excessive privilege aggregation.
 58
 59- **Correlate related activity**
 60  - Check for prior or concurrent events by the same actor, including:
 61    - `CreateTrustAnchor` with external or unauthorized certificate authorities.
 62    - `CreateRole`, `PutRolePolicy`, or `AttachRolePolicy` for privilege escalation paths.
 63  - Review whether subsequent `AssumeRoleWithCertificate` events occurred, indicating use of the new profile.
 64
 65- **Assess the source context**
 66  - Investigate `source.ip`, `user_agent.original`, and `source.geo` fields to identify if this request originated from an unfamiliar host, region, or automation client (e.g., `boto3`, `curl`, custom SDKs).
 67  - Compare to baseline patterns of legitimate IAM or infrastructure automation.
 68
 69- **Validate legitimacy**
 70  - Contact the responsible team (e.g., platform, PKI, or IAM administration) to confirm whether this profile creation 
 71    aligns with approved change management or onboarding activities.
 72
 73
 74### False positive analysis:
 75
 76- **Legitimate administrative actions**
 77  - IAM or PKI engineers may legitimately create profiles during setup of new external integrations or workloads. 
 78    Validate against change control records and deployment logs.
 79- **Authorized automation**
 80  - Infrastructure-as-code (IaC) pipelines (Terraform, CloudFormation, etc.) may automatically create profiles. 
 81    Confirm these operations are sourced from known automation accounts or IP ranges.
 82- **Development and testing**
 83  - Lab or sandbox accounts may test Roles Anywhere configurations with less restrictive controls. 
 84    Ensure alerts from non-production accounts are tuned accordingly.
 85
 86### Response and remediation:
 87
 88- **Immediate review and containment**
 89  - If unauthorized, disable or delete the created profile (`aws rolesanywhere delete-profile`) and review all 
 90    associated IAM roles for misuse.
 91  - Rotate any credentials or revoke certificates issued from unapproved trust anchors.
 92
 93- **Investigation**
 94  - Search CloudTrail for additional related actions by the same identity, such as 
 95    `CreateTrustAnchor`, `AssumeRoleWithCertificate`, or cross-account access attempts.
 96  - Verify whether any sessions have been initiated using the new profile and identify 
 97    which roles were assumed.
 98
 99- **Recovery and hardening**
100  - Restrict `rolesanywhere:CreateProfile` to a small set of administrative roles.
101  - Implement AWS Config or Security Hub controls to alert on unauthorized or overly 
102    permissive Roles Anywhere profiles.
103  - Audit IAM role trust policies linked to external anchors and ensure adherence to the 
104    principle of least privilege.
105  - Review and document all approved Roles Anywhere profiles and their corresponding trust anchors.
106
107### Additional information
108
109- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
110- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
111- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
112"""
113references = [
114    "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html",
115    "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/",
116    "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/",
117    "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html",
118]
119risk_score = 21
120rule_id = "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce"
121severity = "low"
122tags = [
123    "Domain: Cloud",
124    "Data Source: AWS",
125    "Data Source: Amazon Web Services",
126    "Data Source: AWS IAM",
127    "Use Case: Identity and Access Audit",
128    "Tactic: Persistence",
129    "Resources: Investigation Guide",
130]
131timestamp_override = "event.ingested"
132type = "query"
133
134query = '''
135event.dataset: aws.cloudtrail
136    and event.provider: rolesanywhere.amazonaws.com
137    and event.action: CreateProfile
138    and event.outcome: success
139'''
140
141
142[[rule.threat]]
143framework = "MITRE ATT&CK"
144[[rule.threat.technique]]
145id = "T1098"
146name = "Account Manipulation"
147reference = "https://attack.mitre.org/techniques/T1098/"
148[[rule.threat.technique.subtechnique]]
149id = "T1098.003"
150name = "Additional Cloud Roles"
151reference = "https://attack.mitre.org/techniques/T1098/003/"
152
153
154
155[rule.threat.tactic]
156id = "TA0003"
157name = "Persistence"
158reference = "https://attack.mitre.org/tactics/TA0003/"
159
160[rule.investigation_fields]
161field_names = [
162    "@timestamp",
163    "user.name",
164    "user_agent.original",
165    "source.ip",
166    "aws.cloudtrail.user_identity.arn",
167    "aws.cloudtrail.user_identity.type",
168    "aws.cloudtrail.user_identity.access_key_id",
169    "event.action",
170    "event.outcome",
171    "cloud.account.id",
172    "cloud.region",
173    "aws.cloudtrail.request_parameters",
174    "aws.cloudtrail.response_elements",
175]