AWS STS Role Assumption by Service

  1[metadata]
  2creation_date = "2021/05/17"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/06/18"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.
 11"""
 12false_positives = [
 13    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes. AWS services might assume roles to access AWS resources as part of their standard operations. Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.",
 14]
 15from = "now-6m"
 16interval = "5m"
 17index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "AWS STS Role Assumption by Service"
 21note = """## Triage and analysis
 22
 23### Investigating AWS STS Role Assumption by Service
 24
 25This rule identifies instances where AWS STS (Security Token Service) is used to assume a role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.
 26
 27#### Possible Investigation Steps
 28
 29- **Identify the Actor and Assumed Role**:
 30  - **User Identity**: Review the `aws.cloudtrail.user_identity.invoked_by` field to determine which service initiated the `AssumeRole` action.
 31  - **Role Assumed**: Check the `aws.cloudtrail.resources.arn` field to confirm the assumed role and ensure it aligns with expected responsibilities.
 32  - **Session Name**: Observe the `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the session's intended purpose, if available.
 33 - **Expiration Time**: Verify `aws.cloudtrail.flattened.response_elements.credentials.expiration` to determine when the credentials expire or expired.
 34
 35- **Inspect the User Agent for Tooling Identification**:
 36  - **User Agent Details**: Review the `user_agent.original` field to identify the tool or SDK used for the role assumption. Indicators include:
 37    - **AWS SDKs (e.g., Boto3)**: Often used in automated workflows or scripts.
 38    - **AWS CLI**: Suggests command-line access, potentially indicating direct user interaction.
 39    - **Custom Tooling**: Unusual user agents may signify custom or suspicious tools.
 40
 41- **Contextualize with Related Events**:
 42  - **Review Event Patterns**: Check surrounding CloudTrail events to see if other actions coincide with this `AssumeRole` activity, such as attempts to access sensitive resources.
 43  - **Identify High-Volume Exceptions**: Due to the potential volume of `AssumeRole` events, determine common, legitimate `roleArn` values or `user_agent` patterns, and consider adding these as exceptions to reduce noise.
 44
 45- **Evaluate the Privilege Level of the Assumed Role**:
 46  - **Permissions**: Inspect permissions associated with the assumed role to understand its access level.
 47  - **Authorized Usage**: Confirm whether the role is typically used for administrative purposes and if the assuming entity frequently accesses it as part of regular responsibilities.
 48
 49### False Positive Analysis
 50
 51- **Automated Workflows and Applications**: Many applications or scheduled tasks may assume roles for standard operations. Check user agents and ARNs for consistency with known workflows.
 52- **Routine AWS Service Actions**: Historical data may reveal if the same service assumes new roles regularly as part of authorized operations.
 53
 54### Response and Remediation
 55
 56- **Revoke Unauthorized Sessions**: If unauthorized, consider revoking the session by adjusting IAM policies or permissions associated with the assumed role.
 57- **Enhance Monitoring and Alerts**: Set up enhanced monitoring for high-risk roles, especially those with elevated privileges.
 58- **Manage Exceptions**: Regularly review and manage high-frequency roles and user agent patterns, adding trusted ARNs and user agents to exception lists to minimize alert fatigue.
 59- **Incident Response**: If malicious behavior is identified, follow incident response protocols, including containment, investigation, and remediation.
 60
 61### Additional Information
 62
 63For more information on managing and securing AWS STS, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and AWS security best practices.
 64"""
 65references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
 66risk_score = 21
 67rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
 68severity = "low"
 69tags = [
 70    "Domain: Cloud",
 71    "Data Source: AWS",
 72    "Data Source: Amazon Web Services",
 73    "Data Source: AWS STS",
 74    "Resources: Investigation Guide",
 75    "Use Case: Identity and Access Audit",
 76    "Tactic: Privilege Escalation",
 77    "Tactic: Lateral Movement",
 78]
 79timestamp_override = "event.ingested"
 80type = "new_terms"
 81
 82query = '''
 83event.dataset: "aws.cloudtrail"
 84    and event.provider: "sts.amazonaws.com"
 85    and event.action: "AssumeRole"
 86    and event.outcome: "success"
 87    and aws.cloudtrail.user_identity.type: "AWSService"
 88    and aws.cloudtrail.user_identity.invoked_by: (
 89          "ec2.amazonaws.com" or
 90          "lambda.amazonaws.com" or
 91          "rds.amazonaws.com" or
 92          "ssm.amazonaws.com" or
 93          "ecs-tasks.amazonaws.com" or
 94          "ecs.amazonaws.com" or
 95          "eks.amazonaws.com" or
 96          "eks-fargate.amazonaws.com" or
 97          "codepipeline.amazonaws.com" or
 98          "codebuild.amazonaws.com" or
 99          "autoscaling.amazonaws.com")
100'''
101
102[rule.investigation_fields]
103field_names = [
104    "@timestamp",
105    "source.address",
106    "user_agent.original",
107    "aws.cloudtrail.user_identity.invoked_by",
108    "aws.cloudtrail.user_identity.type",
109    "aws.cloudtrail.flattened.response_elements.credentials.accessKeyId",
110    "event.action",
111    "event.outcome",
112    "aws.cloudtrail.resources.arn",
113    "aws.cloudtrail.resources.type",
114    "aws.cloudtrail.flattened.request_parameters.roleSessionName",
115    "cloud.region",
116    "cloud.account.id",
117    "aws.cloudtrail.request_parameters",
118    "aws.cloudtrail.response_elements"
119]
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1548"
125name = "Abuse Elevation Control Mechanism"
126reference = "https://attack.mitre.org/techniques/T1548/"
127
128
129[rule.threat.tactic]
130id = "TA0004"
131name = "Privilege Escalation"
132reference = "https://attack.mitre.org/tactics/TA0004/"
133[[rule.threat]]
134framework = "MITRE ATT&CK"
135[[rule.threat.technique]]
136id = "T1550"
137name = "Use Alternate Authentication Material"
138reference = "https://attack.mitre.org/techniques/T1550/"
139[[rule.threat.technique.subtechnique]]
140id = "T1550.001"
141name = "Application Access Token"
142reference = "https://attack.mitre.org/techniques/T1550/001/"
143
144
145
146[rule.threat.tactic]
147id = "TA0008"
148name = "Lateral Movement"
149reference = "https://attack.mitre.org/tactics/TA0008/"
150
151[rule.new_terms]
152field = "new_terms_fields"
153value = ["aws.cloudtrail.user_identity.invoked_by", "aws.cloudtrail.resources.arn"]
154[[rule.new_terms.history_window_start]]
155field = "history_window_start"
156value = "now-10d"