AWS STS Role Assumption by User

  1[metadata]
  2creation_date = "2024/11/05"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2024/11/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain
 11temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege
 12escalation. This is a [New
 13Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies
 14when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS
 15resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or
 16lateral movement within an AWS environment.
 17"""
 18false_positives = [
 19    "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.",
 20    "Applications integrated with AWS might assume roles to access AWS resources.",
 21    "Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.",
 22]
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS STS Role Assumption by User"
 27note = """## Triage and Analysis
 28
 29### Investigating AWS STS Role Assumption by User
 30
 31This rule detects when a user assumes a role in AWS Security Token Service (STS), receiving temporary credentials to access AWS resources. While often used for legitimate purposes, this action can be leveraged by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.
 32
 33#### Possible Investigation Steps
 34
 35- **Identify the User and Assumed Role**:
 36  - **User Identity**: Check `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` for details about the initiator of the `AssumeRole` action.
 37  - **Role Assumed**: Review `aws.cloudtrail.flattened.request_parameters.roleArn` to confirm the role assumed and ensure it aligns with the user’s standard permissions.
 38  - **Session Name**: Note `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the purpose of the session.
 39
 40- **Evaluate Session Context and Credential Duration**:
 41  - **Session Details**: Look into `aws.cloudtrail.user_identity.session_context.creation_date` for the start of the session and `aws.cloudtrail.user_identity.session_context.mfa_authenticated` to check for MFA usage.
 42  - **Credential Validity**: Examine `aws.cloudtrail.flattened.request_parameters.durationSeconds` for how long the credentials are valid.
 43  - **Expiration Time**: Use `aws.cloudtrail.flattened.response_elements.credentials.expiration` to confirm the credential expiration.
 44
 45- **Inspect User Agent and Source Information**:
 46  - **User Agent**: Analyze the `user_agent.original` field to identify if specific tooling or SDKs like AWS CLI, Boto3, or custom agents were used.
 47  - **Source IP and Geolocation**: Examine `source.address` and `source.geo` fields to determine the origin of the request, confirming if it aligns with expected locations.
 48
 49- **Correlate with Related Events**:
 50  - **Identify Patterns**: Review related CloudTrail events for unusual access patterns, such as resource access or sensitive actions following this `AssumeRole` action.
 51  - **Filter High-Volume Roles**: If this role or user has a high volume of access, evaluate `roleArn` or `user_agent` values for common patterns and add trusted entities as exceptions.
 52
 53- **Review the Privileges of the Assumed Role**:
 54  - **Permissions**: Examine permissions associated with the `roleArn` to assess its access scope.
 55  - **Authorized Usage**: Confirm if the role is used frequently for administrative purposes and if this aligns with the user’s regular responsibilities.
 56
 57### False Positive Analysis
 58
 59- **Automated Processes and Applications**: Applications or scheduled tasks may assume roles regularly for operational purposes. Validate the consistency of the `user_agent` or `roleArn` with known automated workflows.
 60- **Standard IAM Policy Usage**: Confirm if the user or application routinely assumes this specific role for normal operations by reviewing historical activity.
 61
 62### Response and Remediation
 63
 64- **Terminate Unauthorized Sessions**: If the role assumption is deemed unauthorized, revoke the session by modifying IAM policies or the permissions associated with the assumed role.
 65- **Strengthen Monitoring and Alerts**: Implement additional monitoring for specific high-risk roles, especially those with elevated permissions.
 66- **Regularly Manage Exceptions**: Regularly review high-volume roles and user agent patterns to refine alerts, minimizing noise by adding trusted patterns as exceptions.
 67- **Incident Response**: If confirmed as malicious, follow incident response protocols for containment, investigation, and remediation.
 68
 69### Additional Information
 70
 71For more details on managing and securing AWS STS in your environment, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).
 72"""
 73references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"]
 74risk_score = 21
 75rule_id = "288a198e-9b9b-11ef-a0a8-f661ea17fbcd"
 76severity = "low"
 77tags = [
 78    "Domain: Cloud",
 79    "Data Source: AWS",
 80    "Data Source: Amazon Web Services",
 81    "Data Source: AWS STS",
 82    "Resources: Investigation Guide",
 83    "Use Case: Identity and Access Audit",
 84    "Tactic: Privilege Escalation",
 85]
 86timestamp_override = "event.ingested"
 87type = "new_terms"
 88
 89query = '''
 90event.dataset: "aws.cloudtrail"
 91    and event.provider: "sts.amazonaws.com"
 92    and event.action: "AssumeRole"
 93    and event.outcome: "success"
 94    and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser")
 95'''
 96
 97[rule.investigation_fields]
 98field_names = [
 99    "@timestamp",
100    "user.name",
101    "user_agent.original",
102    "source.address",
103    "aws.cloudtrail.user_identity.arn",
104    "aws.cloudtrail.user_identity.type",
105    "aws.cloudtrail.resources.arn",
106    "aws.cloudtrail.resources.type",
107    "aws.cloudtrail.flattened.request_parameters.roleArn",
108    "aws.cloudtrail.flattened.request_parameters.roleSessionName",
109    "event.action",
110    "event.outcome",
111    "cloud.region",
112    "aws.cloudtrail.request_parameters",
113    "aws.cloudtrail.response_elements"
114]
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1548"
120name = "Abuse Elevation Control Mechanism"
121reference = "https://attack.mitre.org/techniques/T1548/"
122
123
124[rule.threat.tactic]
125id = "TA0004"
126name = "Privilege Escalation"
127reference = "https://attack.mitre.org/tactics/TA0004/"
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130[[rule.threat.technique]]
131id = "T1550"
132name = "Use Alternate Authentication Material"
133reference = "https://attack.mitre.org/techniques/T1550/"
134[[rule.threat.technique.subtechnique]]
135id = "T1550.001"
136name = "Application Access Token"
137reference = "https://attack.mitre.org/techniques/T1550/001/"
138
139
140
141[rule.threat.tactic]
142id = "TA0008"
143name = "Lateral Movement"
144reference = "https://attack.mitre.org/tactics/TA0008/"
145
146[rule.new_terms]
147field = "new_terms_fields"
148value = ["user.name", "aws.cloudtrail.flattened.request_parameters.roleArn"]
149[[rule.new_terms.history_window_start]]
150field = "history_window_start"
151value = "now-10d"