AWS STS GetFederationToken with AdministratorAccess in Request

  1[metadata]
  2creation_date = "2026/04/08"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/04/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies successful calls to AWS STS GetFederationToken where request parameters reference AdministratorAccess. This API
 11returns temporary security credentials for a federated user with permissions bounded by the calling IAM user and any
 12inline session policy passed in the request. Supplying or referencing the AWS managed AdministratorAccess policy (or an
 13equivalent string in the policy payload) can grant broadly privileged temporary credentials and may indicate privilege
 14abuse or dangerous automation.
 15"""
 16false_positives = [
 17    """
 18    Highly unusual for legitimate workflows to embed or reference full administrator access in GetFederationToken session
 19    policies; if found, it is often legacy or misconfigured tooling. Confirm with the owning team and replace with
 20    least-privilege session policies. Tune only after documented approval.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS STS GetFederationToken with AdministratorAccess in Request"
 28note = """## Triage and analysis
 29
 30### Investigating AWS STS GetFederationToken with AdministratorAccess in Request
 31
 32`GetFederationToken` issues temporary credentials (typically up to 36 hours) for a **federated user name** you specify.
 33The effective permissions are the **intersection** of the IAM user’s permissions and the optional session policy in the
 34request. Including `AdministratorAccess` in `Policy` (or a policy ARN / JSON that names it) is almost always
 35over-privileged for federation use cases. For first-time `GetFederationToken` usage without this policy signal, see
 36**AWS First Occurrence of STS GetFederationToken Request by User**.
 37
 38**Note:** AWS documents that `GetFederationToken` must be called with **long-term IAM user credentials** (not role
 39temporary credentials). Pivot on `aws.cloudtrail.user_identity.arn` and `access_key_id` accordingly.
 40
 41#### Possible investigation steps
 42
 43- Parse `aws.cloudtrail.request_parameters` for `name`, `policy`, and `durationSeconds`.
 44- Confirm whether the IAM user should perform federation or if the key may be compromised.
 45- Search CloudTrail for subsequent events using `response_elements.credentials.accessKeyId` from the same response (if
 46  logged).
 47- Correlate with IAM changes, data-plane access, or other STS calls from the same `source.ip` in a ±30 minute window.
 48
 49### False positive analysis
 50
 51- Typos or test accounts in non-production: still validate and narrow session policies.
 52
 53### Response and remediation
 54
 55- Revoke or rotate the IAM user access keys involved; enforce least privilege on the user and replace broad session
 56  policies.
 57- [GetFederationToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html)
 58
 59### Additional information
 60
 61- [AWS STS temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
 62"""
 63references = [
 64    "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html",
 65    "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html",
 66]
 67risk_score = 73
 68rule_id = "f2a3b4c5-d6e7-4f89-a012-b3c4d5e6f789"
 69severity = "high"
 70tags = [
 71    "Domain: Cloud",
 72    "Domain: Identity",
 73    "Data Source: AWS",
 74    "Data Source: Amazon Web Services",
 75    "Data Source: AWS STS",
 76    "Use Case: Threat Detection",
 77    "Tactic: Privilege Escalation",
 78    "Tactic: Lateral Movement",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "query"
 83
 84query = '''
 85event.dataset: "aws.cloudtrail"
 86    and event.provider: "sts.amazonaws.com"
 87    and event.action: "GetFederationToken"
 88    and event.outcome: "success"
 89    and aws.cloudtrail.request_parameters: *AdministratorAccess*
 90'''
 91
 92[rule.investigation_fields]
 93field_names = [
 94    "@timestamp",
 95    "user.name",
 96    "user_agent.original",
 97    "source.ip",
 98    "aws.cloudtrail.user_identity.arn",
 99    "aws.cloudtrail.user_identity.type",
100    "aws.cloudtrail.user_identity.access_key_id",
101    "event.action",
102    "event.outcome",
103    "cloud.account.id",
104    "cloud.region",
105    "aws.cloudtrail.request_parameters",
106    "aws.cloudtrail.response_elements",
107]
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111
112[[rule.threat.technique]]
113id = "T1548"
114name = "Abuse Elevation Control Mechanism"
115reference = "https://attack.mitre.org/techniques/T1548/"
116
117[[rule.threat.technique.subtechnique]]
118id = "T1548.005"
119name = "Temporary Elevated Cloud Access"
120reference = "https://attack.mitre.org/techniques/T1548/005/"
121
122[rule.threat.tactic]
123id = "TA0004"
124name = "Privilege Escalation"
125reference = "https://attack.mitre.org/tactics/TA0004/"
126
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129
130[[rule.threat.technique]]
131id = "T1550"
132name = "Use Alternate Authentication Material"
133reference = "https://attack.mitre.org/techniques/T1550/"
134
135[[rule.threat.technique.subtechnique]]
136id = "T1550.001"
137name = "Application Access Token"
138reference = "https://attack.mitre.org/techniques/T1550/001/"
139
140[rule.threat.tactic]
141id = "TA0008"
142name = "Lateral Movement"
143reference = "https://attack.mitre.org/tactics/TA0008/"