AWS IAM Roles Anywhere Trust Anchor Created with External CA

  1[metadata]
  2creation_date = "2024/04/20"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the creation of an AWS IAM Roles Anywhere Trust Anchor that uses an external certificate authority (CA) rather
 11than an AWS-managed Certificate Manager Private CA (ACM PCA). While Roles Anywhere enables secure, short-term credential
 12issuance for workloads outside AWS, adversaries can exploit this feature by registering their own external CA as a
 13trusted root. This allows them to generate valid client certificates that persistently authenticate to AWS roles from
 14any location, even after key rotation or credential revocation events. This rule helps detect persistence or
 15unauthorized federation attempts by flagging trust anchors configured with non-AWS CAs.
 16"""
 17event_category_override = "event.type"
 18false_positives = [
 19    """
 20    AWS IAM Roles Anywhere Trust Anchors are legitimate profiles that can be created by administrators to allow access
 21    from any location. Ensure that the trust anchor is created by a legitimate administrator and that the external
 22    certificate authority is authorized.
 23    """,
 24]
 25from = "now-6m"
 26index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "AWS IAM Roles Anywhere Trust Anchor Created with External CA"
 30note = """## Triage and analysis
 31
 32### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA
 33
 34AWS IAM Roles Anywhere allows workloads outside AWS (such as on-premises servers or CI/CD agents) to assume AWS IAM roles by presenting X.509 certificates. A trust anchor defines which certificate authority (CA) AWS trusts to validate 
 35these external identities. Normally, organizations use AWS Certificate Manager Private CA (ACM PCA) to control issuance 
 36and revocation. 
 37
 38This detection rule identifies when a trust anchor is created using an **external CA** (`sourceType= "CERTIFICATE_BUNDLE" or "SELF_SIGNED_REPOSITORY"`) rather than an ACM-managed CA (`sourceType="AWS_ACM_PCA"`). This can indicate an adversary establishing persistent external access, enabling them to authenticate using certificates signed by their own CA.
 39
 40#### Possible investigation steps
 41
 42- **Identify the actor**
 43  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
 44  - Determine whether this user or role is normally responsible for IAM configuration or Roles Anywhere setup.
 45
 46- **Review the trust anchor details**
 47  - In `aws.cloudtrail.request_parameters`, confirm the `sourceType` and inspect the certificate chain.
 48  - Look for non-AWS issuer names, custom organization fields, or self-signed CA certificates.
 49
 50- **Assess the scope and risk**
 51  - Identify which IAM roles are linked to this trust anchor via `Profile` associations.
 52  - Determine whether any of those roles provide privileged or cross-account access.
 53  - Check for subsequent API calls like `CreateProfile`, `CreateRole`, or `AssumeRoleWithCertificate` to gauge whether 
 54    the external CA has been used.
 55
 56- **Correlate related activity**
 57  - Search for preceding reconnaissance or setup activity:
 58    - `ListTrustAnchors`, `ListProfiles`, `GetRole`
 59    - Attempts to create additional credential paths (`CreateAccessKey`, `CreateOpenIDConnectProvider`)
 60  - Investigate other actions by the same user identity, particularly IAM role or trust policy modifications.
 61
 62- **Validate legitimacy**
 63  - Confirm with identity management or security engineering teams whether the external CA is an approved authority.
 64  - Review internal PKI or certificate inventories to ensure this CA is registered in the organization’s trust chain.
 65
 66### False positive analysis
 67
 68- **Legitimate external CA use**
 69  - Some organizations integrate trusted third-party PKI providers (e.g., Venafi, DigiCert, Entrust) for workload identity management. Validate whether the CA is part of your documented PKI ecosystem.
 70- **Testing and lab accounts**
 71  - Development or testing environments may temporarily use self-signed certificates to validate Roles Anywhere integrations.
 72  - Confirm that such activity occurs in isolated accounts and not in production.
 73- **Expected administrative setup**
 74  - Initial configuration by security engineers or platform teams may trigger this rule. Verify via change tickets or 
 75    deployment logs before treating as suspicious.
 76
 77### Response and remediation
 78
 79- **Containment**
 80  - If the CA is unauthorized, immediately delete the trust anchor using 
 81    `aws rolesanywhere delete-trust-anchor --trust-anchor-id <id>`.
 82  - Review for any certificates already used to assume roles and revoke those certificates from the external CA.
 83
 84- **Investigation**
 85  - Identify all IAM Roles Anywhere profiles linked to the trust anchor (`ListProfiles`).
 86  - Check CloudTrail for any successful `AssumeRoleWithCertificate` calls associated with the external CA.
 87  - Assess whether lateral movement or data exfiltration occurred after the trust anchor creation.
 88
 89- **Recovery and hardening**
 90  - Replace unauthorized CAs with ACM PCA-managed ones.
 91  - Restrict `rolesanywhere:CreateTrustAnchor` permissions to security administrators only.
 92  - Monitor for new trust anchor creations and external certificate sources via AWS Config rules or Security Hub findings.
 93  - Implement GuardDuty or Security Hub integrations to detect anomalous IAM and Roles Anywhere behavior.
 94
 95### Additional information
 96
 97- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 98- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 99- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
100"""
101references = [
102    "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html",
103    "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/",
104    "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html",
105]
106risk_score = 47
107rule_id = "71de53ea-ff3b-11ee-b572-f661ea17fbce"
108severity = "medium"
109tags = [
110    "Domain: Cloud",
111    "Data Source: AWS",
112    "Data Source: Amazon Web Services",
113    "Data Source: AWS IAM",
114    "Use Case: Identity and Access Audit",
115    "Tactic: Persistence",
116    "Resources: Investigation Guide",
117]
118timestamp_override = "event.ingested"
119type = "eql"
120
121query = '''
122info where data_stream.dataset == "aws.cloudtrail"
123  and event.provider == "rolesanywhere.amazonaws.com"
124  and event.action == "CreateTrustAnchor"
125  and event.outcome == "success"
126  and not stringContains(aws.cloudtrail.request_parameters, "sourceType=AWS_ACM_PCA")
127'''
128
129
130[[rule.threat]]
131framework = "MITRE ATT&CK"
132
133[[rule.threat.technique]]
134id = "T1098"
135name = "Account Manipulation"
136reference = "https://attack.mitre.org/techniques/T1098/"
137
138[[rule.threat.technique.subtechnique]]
139id = "T1098.003"
140name = "Additional Cloud Roles"
141reference = "https://attack.mitre.org/techniques/T1098/003/"
142
143[[rule.threat.technique]]
144id = "T1556"
145name = "Modify Authentication Process"
146reference = "https://attack.mitre.org/techniques/T1556/"
147
148[rule.threat.tactic]
149id = "TA0003"
150name = "Persistence"
151reference = "https://attack.mitre.org/tactics/TA0003/"
152[rule.investigation_fields]
153field_names = [
154    "@timestamp",
155    "user.name",
156    "user_agent.original",
157    "source.ip",
158    "aws.cloudtrail.user_identity.arn",
159    "aws.cloudtrail.user_identity.type",
160    "aws.cloudtrail.user_identity.access_key_id",
161    "event.action",
162    "event.outcome",
163    "cloud.account.id",
164    "cloud.region",
165    "aws.cloudtrail.request_parameters",
166    "aws.cloudtrail.response_elements",
167]