Data Source: AWS STS

AWS EC2 Instance Console Login via Assumed Role

Nov 17, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS EC2 Data Source: AWS STS Data Source: AWS Sign-In Use Case: Identity and Access Audit Tactic: Lateral Movement Tactic: Credential Access Tactic: Persistence Resources: Investigation Guide ·

Share on:

Detects successful AWS Management Console or federation login activity performed using an EC2 instance’s assumed role credentials. EC2 instances typically use temporary credentials to make API calls, not to authenticate interactively via the console. A successful "ConsoleLogin" or "GetSigninToken" event using a session pattern that includes "i-" (the EC2 instance ID) is highly anomalous and may indicate that an adversary obtained the instance’s temporary credentials from the instance metadata service (IMDS) and used them to access the console. Such activity can enable lateral movement, privilege escalation, or persistence within the AWS account.

AWS STS Role Chaining

Oct 6, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Use Case: Threat Detection Tactic: Persistence Tactic: Privilege Escalation Tactic: Lateral Movement Resources: Investigation Guide ·

Share on:

Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API. While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges. Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration. This is a new terms rule that looks for the first occurance of one role (aws.cloudtrail.user_identity.session_context.session_issuer.arn) assuming another (aws.cloudtrail.resources.arn).

AWS First Occurrence of STS GetFederationToken Request by User

Aug 29, 2025 · Domain: Cloud Data Source: Amazon Web Services Data Source: AWS Data Source: AWS STS Use Case: Threat Detection Tactic: Defense Evasion Tactic: Persistence Resources: Investigation Guide ·

Share on:

Identifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken request made by a user. The GetFederationToken API call allows users to request temporary security credentials to access AWS resources. The maximum expiration period for these tokens is 36 hours and they can be used to create a console signin token even for identities that don't already have one. Adversaries may use this API to obtain temporary credentials for persistence and to bypass IAM API call limitations by gaining console access.

AWS STS GetCallerIdentity API Called for the First Time

Aug 25, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Use Case: Identity and Access Audit Tactic: Discovery Resources: Investigation Guide ·

Share on:

An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS GetCallerIdentity API, which may be an indicator of compromised credentials. A legitimate user would not need to perform this operation as they should know the account they are using.

AWS STS AssumeRole with New MFA Device

Aug 22, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Use Case: Identity and Access Audit Tactic: Privilege Escalation Tactic: Persistence Tactic: Lateral Movement Resources: Investigation Guide ·

Share on:

Identifies when a user has assumed a role using a new MFA device. Users can assume a role to obtain temporary credentials and access AWS resources using the AssumeRole API of AWS Security Token Service (STS). While a new MFA device is not always indicative of malicious behavior it should be verified as adversaries can use this technique for persistence and privilege escalation.

AWS IAM API Calls via Temporary Session Tokens

Jul 15, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS CloudTrail Data Source: AWS IAM Data Source: AWS STS Tactic: Persistence Tactic: Privilege Escalation Resources: Investigation Guide ·

Share on:

Detects use of sensitive AWS IAM API operations using temporary credentials (session tokens starting with 'ASIA'). This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.

AWS STS Role Assumption by Service

Jun 24, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Resources: Investigation Guide Use Case: Identity and Access Audit Tactic: Privilege Escalation Tactic: Lateral Movement ·

Share on:

Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.

AWS STS Role Assumption by User

Jun 24, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Resources: Investigation Guide Use Case: Identity and Access Audit Tactic: Privilege Escalation Tactic: Lateral Movement ·

Share on:

Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a New Terms rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.

AWS STS AssumeRoot by Rare User and Member Account

Jan 22, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS STS Resources: Investigation Guide Use Case: Identity and Access Audit Tactic: Privilege Escalation ·

Share on:

Identifies when the STS AssumeRoot action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a New Terms rule that identifies when the STS AssumeRoot action is performed by a user that rarely assumes this role and specific member account.