AWS IAM Roles Anywhere Trust Anchor Created with External CA

  1[metadata]
  2creation_date = "2024/04/20"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the creation of an AWS IAM Roles Anywhere Trust Anchor that uses an external certificate authority (CA) rather
 11than an AWS-managed Certificate Manager Private CA (ACM PCA). While Roles Anywhere enables secure, short-term credential
 12issuance for workloads outside AWS, adversaries can exploit this feature by registering their own external CA as a
 13trusted root. This allows them to generate valid client certificates that persistently authenticate to AWS roles from
 14any location, even after key rotation or credential revocation events. This rule helps detect persistence or
 15unauthorized federation attempts by flagging trust anchors configured with non-AWS CAs.
 16"""
 17event_category_override = "event.type"
 18false_positives = [
 19    """
 20    AWS IAM Roles Anywhere Trust Anchors are legitimate profiles that can be created by administrators to allow access
 21    from any location. Ensure that the trust anchor is created by a legitimate administrator and that the external
 22    certificate authority is authorized.
 23    """,
 24]
 25from = "now-6m"
 26index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "AWS IAM Roles Anywhere Trust Anchor Created with External CA"
 30note = """## Triage and analysis
 31
 32> **Disclaimer**:
 33> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 34> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
 35
 36### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA
 37
 38AWS IAM Roles Anywhere allows workloads outside AWS (such as on-premises servers or CI/CD agents) to assume AWS IAM roles by presenting X.509 certificates. A trust anchor defines which certificate authority (CA) AWS trusts to validate 
 39these external identities. Normally, organizations use AWS Certificate Manager Private CA (ACM PCA) to control issuance 
 40and revocation. 
 41
 42This detection rule identifies when a trust anchor is created using an **external CA** (`sourceType= "CERTIFICATE_BUNDLE" or "SELF_SIGNED_REPOSITORY"`) rather than an ACM-managed CA (`sourceType="AWS_ACM_PCA"`). This can indicate an adversary establishing persistent external access, enabling them to authenticate using certificates signed by their own CA.
 43
 44#### Possible investigation steps
 45
 46- **Identify the actor**
 47  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
 48  - Determine whether this user or role is normally responsible for IAM configuration or Roles Anywhere setup.
 49
 50- **Review the trust anchor details**
 51  - In `aws.cloudtrail.request_parameters`, confirm the `sourceType` and inspect the certificate chain.
 52  - Look for non-AWS issuer names, custom organization fields, or self-signed CA certificates.
 53
 54- **Assess the scope and risk**
 55  - Identify which IAM roles are linked to this trust anchor via `Profile` associations.
 56  - Determine whether any of those roles provide privileged or cross-account access.
 57  - Check for subsequent API calls like `CreateProfile`, `CreateRole`, or `AssumeRoleWithCertificate` to gauge whether 
 58    the external CA has been used.
 59
 60- **Correlate related activity**
 61  - Search for preceding reconnaissance or setup activity:
 62    - `ListTrustAnchors`, `ListProfiles`, `GetRole`
 63    - Attempts to create additional credential paths (`CreateAccessKey`, `CreateOpenIDConnectProvider`)
 64  - Investigate other actions by the same user identity, particularly IAM role or trust policy modifications.
 65
 66- **Validate legitimacy**
 67  - Confirm with identity management or security engineering teams whether the external CA is an approved authority.
 68  - Review internal PKI or certificate inventories to ensure this CA is registered in the organization’s trust chain.
 69
 70### False positive analysis
 71
 72- **Legitimate external CA use**
 73  - Some organizations integrate trusted third-party PKI providers (e.g., Venafi, DigiCert, Entrust) for workload identity management. Validate whether the CA is part of your documented PKI ecosystem.
 74- **Testing and lab accounts**
 75  - Development or testing environments may temporarily use self-signed certificates to validate Roles Anywhere integrations.
 76  - Confirm that such activity occurs in isolated accounts and not in production.
 77- **Expected administrative setup**
 78  - Initial configuration by security engineers or platform teams may trigger this rule. Verify via change tickets or 
 79    deployment logs before treating as suspicious.
 80
 81### Response and remediation
 82
 83- **Containment**
 84  - If the CA is unauthorized, immediately delete the trust anchor using 
 85    `aws rolesanywhere delete-trust-anchor --trust-anchor-id <id>`.
 86  - Review for any certificates already used to assume roles and revoke those certificates from the external CA.
 87
 88- **Investigation**
 89  - Identify all IAM Roles Anywhere profiles linked to the trust anchor (`ListProfiles`).
 90  - Check CloudTrail for any successful `AssumeRoleWithCertificate` calls associated with the external CA.
 91  - Assess whether lateral movement or data exfiltration occurred after the trust anchor creation.
 92
 93- **Recovery and hardening**
 94  - Replace unauthorized CAs with ACM PCA-managed ones.
 95  - Restrict `rolesanywhere:CreateTrustAnchor` permissions to security administrators only.
 96  - Monitor for new trust anchor creations and external certificate sources via AWS Config rules or Security Hub findings.
 97  - Implement GuardDuty or Security Hub integrations to detect anomalous IAM and Roles Anywhere behavior.
 98
 99### Additional information
100
101- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
102- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
103- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
104"""
105references = [
106    "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html",
107    "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/",
108    "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html",
109]
110risk_score = 47
111rule_id = "71de53ea-ff3b-11ee-b572-f661ea17fbce"
112severity = "medium"
113tags = [
114    "Domain: Cloud",
115    "Data Source: AWS",
116    "Data Source: Amazon Web Services",
117    "Data Source: AWS IAM",
118    "Use Case: Identity and Access Audit",
119    "Tactic: Persistence",
120    "Resources: Investigation Guide",
121]
122timestamp_override = "event.ingested"
123type = "eql"
124
125query = '''
126info where event.dataset == "aws.cloudtrail"
127  and event.provider == "rolesanywhere.amazonaws.com"
128  and event.action == "CreateTrustAnchor"
129  and event.outcome == "success"
130  and not stringContains(aws.cloudtrail.request_parameters, "sourceType=AWS_ACM_PCA")
131'''
132
133
134[[rule.threat]]
135framework = "MITRE ATT&CK"
136[[rule.threat.technique]]
137id = "T1098"
138name = "Account Manipulation"
139reference = "https://attack.mitre.org/techniques/T1098/"
140[[rule.threat.technique.subtechnique]]
141id = "T1098.003"
142name = "Additional Cloud Roles"
143reference = "https://attack.mitre.org/techniques/T1098/003/"
144
145
146
147[rule.threat.tactic]
148id = "TA0003"
149name = "Persistence"
150reference = "https://attack.mitre.org/tactics/TA0003/"
151
152[rule.investigation_fields]
153field_names = [
154    "@timestamp",
155    "user.name",
156    "user_agent.original",
157    "source.ip",
158    "aws.cloudtrail.user_identity.arn",
159    "aws.cloudtrail.user_identity.type",
160    "aws.cloudtrail.user_identity.access_key_id",
161    "target.entity.id",
162    "event.action",
163    "event.outcome",
164    "cloud.account.id",
165    "cloud.region",
166    "aws.cloudtrail.request_parameters",
167    "aws.cloudtrail.response_elements",
168]