AWS IAM Roles Anywhere Trust Anchor Created with External CA

  1[metadata]
  2creation_date = "2024/04/20"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/07/23"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles
 11Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This
 12rule detects when a trust anchor is created with an external certificate authority that is not managed by AWS
 13Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in
 14the environment.
 15"""
 16false_positives = [
 17    """
 18    AWS IAM Roles Anywhere Trust Anchors are legitimate profiles that can be created by administrators to allow access
 19    from any location. Ensure that the trust anchor is created by a legitimate administrator and that the external
 20    certificate authority is authorized.
 21    """,
 22]
 23from = "now-30m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25interval = "10m"
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS IAM Roles Anywhere Trust Anchor Created with External CA"
 29note = """
 30## Triage and Analysis
 31
 32### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA
 33
 34This rule detects when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule identifies when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.
 35
 36#### Possible Investigation Steps:
 37
 38- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
 39- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the trust anchor creation. Look for any unusual parameters that could suggest unauthorized or malicious modifications.
 40- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.
 41- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the trust anchor was created. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.
 42- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
 43- **Verify the Certificate Authority**: Ensure that the external certificate authority used is authorized and recognized. Unauthorized external CAs can be a red flag for malicious activity.
 44
 45### False Positive Analysis:
 46
 47- **Legitimate Administrative Actions**: Confirm if the trust anchor creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.
 48- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
 49- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the creation was successful and intended according to policy.
 50
 51### Response and Remediation:
 52
 53- **Immediate Review and Reversal if Necessary**: If the creation was unauthorized, remove the trust anchor and revoke any associated permissions.
 54- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving the creation of trust anchors with external certificate authorities.
 55- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning IAM Roles Anywhere and the use of certificate authorities.
 56- **Audit IAM Roles and Policies**: Conduct a comprehensive audit of all IAM roles and associated policies to ensure they adhere to the principle of least privilege.
 57- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.
 58
 59### Additional Information:
 60
 61For further guidance on managing IAM Roles Anywhere and securing AWS environments, refer to the [AWS IAM Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on IAM roles and trust anchors:
 62- [AWS IAM Roles Anywhere Introduction](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)
 63- [Ermetic Blog on IAM Users and Third Parties](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)
 64"""
 65references = [
 66    "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html",
 67    "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/",
 68    "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html",
 69]
 70risk_score = 47
 71rule_id = "71de53ea-ff3b-11ee-b572-f661ea17fbce"
 72severity = "medium"
 73tags = [
 74    "Domain: Cloud",
 75    "Data Source: AWS",
 76    "Data Source: Amazon Web Services",
 77    "Data Source: AWS IAM",
 78    "Use Case: Identity and Access Audit",
 79    "Tactic: Persistence",
 80]
 81timestamp_override = "event.ingested"
 82type = "query"
 83
 84query = '''
 85event.dataset: aws.cloudtrail
 86    and event.provider: rolesanywhere.amazonaws.com
 87    and event.action: CreateTrustAnchor
 88    and event.outcome: success
 89    and not aws.cloudtrail.request_parameters: *sourceType=AWS_ACM_PCA*
 90'''
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1098"
 97name = "Account Manipulation"
 98reference = "https://attack.mitre.org/techniques/T1098/"
 99[[rule.threat.technique.subtechnique]]
100id = "T1098.003"
101name = "Additional Cloud Roles"
102reference = "https://attack.mitre.org/techniques/T1098/003/"
103
104
105
106[rule.threat.tactic]
107id = "TA0003"
108name = "Persistence"
109reference = "https://attack.mitre.org/tactics/TA0003/"