AWS IAM Roles Anywhere Profile Creation

Identifies the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere is a feature that allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. This rule detects the creation of a profile that can be assumed from any service. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. Ensure that the profile creation is expected and that the trust policy is configured securely.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/04/20"
  3integration = ["aws"]
  4maturity = "production"
  5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
  6min_stack_version = "8.9.0"
  7updated_date = "2024/06/03"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere is a feature that allows you to use AWS
 13Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted
 14anchors. This rule detects the creation of a profile that can be assumed from any service. Adversaries may create
 15profiles tied to overly permissive roles to maintain access to AWS resources. Ensure that the profile creation is
 16expected and that the trust policy is configured securely.
 17"""
 18false_positives = [
 19    """
 20    AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any
 21    location. Ensure that the profile created is expected and that the trust policy is configured securely.
 22    """,
 23]
 24from = "now-30m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26interval = "10m"
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "AWS IAM Roles Anywhere Profile Creation"
 30note = """
 31
 32## Triage and Analysis
 33
 34### Investigating AWS IAM Roles Anywhere Profile Creation
 35
 36This rule detects the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. It is crucial to ensure that the profile creation is expected and that the trust policy is configured securely.
 37
 38#### Possible Investigation Steps:
 39
 40- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who created the profile. Verify if this actor typically performs such actions and if they have the necessary permissions.
 41- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the profile creation. Look for any unusual parameters or overly permissive roles that could suggest unauthorized or malicious activity.
 42- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the location and origin of the request. Ensure the request originated from a known and trusted location.
 43- **Check the Created Profile’s Permissions**: Review the `roleArns` associated with the created profile. Verify that the roles are appropriate for the user's intended actions and do not grant excessive permissions.
 44- **Verify the Profile’s Configuration**: Ensure that the profile's `durationSeconds`, `enabled`, and `tags` are configured according to your organization's security policies. Pay particular attention to any configuration that might allow prolonged access or concealment of activity.
 45
 46### False Positive Analysis:
 47
 48- **Legitimate Administrative Actions**: Confirm if the profile creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
 49- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 50- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the profile creation was successful and intended according to policy.
 51
 52### Response and Remediation:
 53
 54- **Immediate Review and Reversal if Necessary**: If the profile creation was unauthorized, disable or delete the created profile and review the associated roles and permissions for any potential misuse.
 55- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive roles or unexpected locations.
 56- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning profile and role management and the risks of unauthorized profile creation.
 57- **Audit IAM Policies and Permissions**: Conduct a comprehensive audit of all IAM policies and associated permissions to ensure they adhere to the principle of least privilege.
 58- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
 59
 60### Additional Information:
 61
 62For further guidance on managing AWS IAM Roles Anywhere profiles and securing AWS environments, refer to the [AWS Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on profile management and potential abuse:
 63- [AWS IAM Roles Anywhere Profile Creation API Reference](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html)
 64- [Ermetic Blog - Managing Third Party Access](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)
 65
 66"""
 67references = [
 68    "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html",
 69    "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/",
 70    "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/",
 71    "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html"
 72]
 73risk_score = 21
 74rule_id = "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce"
 75severity = "low"
 76tags = [
 77    "Domain: Cloud",
 78    "Data Source: AWS",
 79    "Data Source: Amazon Web Services",
 80    "Data Source: AWS IAM",
 81    "Use Case: Identity and Access Audit",
 82    "Tactic: Persistence",
 83]
 84timestamp_override = "event.ingested"
 85type = "query"
 86
 87query = '''
 88event.dataset:aws.cloudtrail
 89    and event.provider: rolesanywhere.amazonaws.com
 90    and event.action: CreateProfile
 91    and event.outcome: success
 92'''
 93
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1098"
 99name = "Account Manipulation"
100reference = "https://attack.mitre.org/techniques/T1098/"
101[[rule.threat.technique.subtechnique]]
102id = "T1098.003"
103name = "Additional Cloud Roles"
104reference = "https://attack.mitre.org/techniques/T1098/003/"
105
106
107
108[rule.threat.tactic]
109id = "TA0003"
110name = "Persistence"
111reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and Analysis

Investigating AWS IAM Roles Anywhere Profile Creation

This rule detects the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. It is crucial to ensure that the profile creation is expected and that the trust policy is configured securely.

Possible Investigation Steps:

  • Identify the Actor: Review the aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id fields to identify who created the profile. Verify if this actor typically performs such actions and if they have the necessary permissions.
  • Review the Request Details: Examine the aws.cloudtrail.request_parameters to understand the specific details of the profile creation. Look for any unusual parameters or overly permissive roles that could suggest unauthorized or malicious activity.
  • Analyze the Source of the Request: Investigate the source.ip and source.geo fields to determine the location and origin of the request. Ensure the request originated from a known and trusted location.
  • Check the Created Profile’s Permissions: Review the roleArns associated with the created profile. Verify that the roles are appropriate for the user's intended actions and do not grant excessive permissions.
  • Verify the Profile’s Configuration: Ensure that the profile's durationSeconds, enabled, and tags are configured according to your organization's security policies. Pay particular attention to any configuration that might allow prolonged access or concealment of activity.

False Positive Analysis:

  • Legitimate Administrative Actions: Confirm if the profile creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
  • Consistency Check: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
  • Verify through Outcomes: Check the aws.cloudtrail.response_elements and the event.outcome to confirm if the profile creation was successful and intended according to policy.

Response and Remediation:

  • Immediate Review and Reversal if Necessary: If the profile creation was unauthorized, disable or delete the created profile and review the associated roles and permissions for any potential misuse.
  • Enhance Monitoring and Alerts: Adjust monitoring systems to alert on similar actions, especially those involving sensitive roles or unexpected locations.
  • Educate and Train: Provide additional training to users with administrative rights on the importance of security best practices concerning profile and role management and the risks of unauthorized profile creation.
  • Audit IAM Policies and Permissions: Conduct a comprehensive audit of all IAM policies and associated permissions to ensure they adhere to the principle of least privilege.
  • Incident Response: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.

Additional Information:

For further guidance on managing AWS IAM Roles Anywhere profiles and securing AWS environments, refer to the AWS Roles Anywhere documentation and AWS best practices for security. Additionally, consult the following resources for specific details on profile management and potential abuse:

References

Related rules

to-top