Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2018-06-04
- Author: David Dorsey, Splunk
- ID: 2f2f610a-d64d-48c2-b57c-967a2b49ab5a
Amazon Web Services (AWS) admins manage access to AWS resources and services across the enterprise using AWS’s Identity and Access Management (IAM) functionality. IAM provides the ability to create and manage AWS users, groups, and roles-each with their own unique set of privileges and defined access to specific resources (such as EC2 instances, the AWS Management Console, API, or the command-line interface). Unlike conventional (human) users, IAM roles are assumable by anyone in the organization. They provide users with dynamically created temporary security credentials that expire within a set time period.
Herein lies the rub. In between the time between when the temporary credentials are issued and when they expire is a period of opportunity, where a user could leverage the temporary credentials to wreak havoc-spin up or remove instances, create new users, elevate privileges, and other malicious activities-throughout the environment.
This Analytic Story includes searches that will help you monitor your AWS CloudTrail logs for evidence of suspicious cross-account activity. For example, while accessing multiple AWS accounts and roles may be perfectly valid behavior, it may be suspicious when an account requests privileges of an account it has not accessed in the past. After identifying suspicious activities, you can use the provided investigative searches to help you probe more deeply.
|aws detect attach to role policy||Valid Accounts||Hunting|
|aws detect permanent key creation||Valid Accounts||Hunting|
|aws detect role creation||Valid Accounts||Hunting|
|aws detect sts assume role abuse||Valid Accounts||Hunting|
|aws detect sts get session token abuse||Use Alternate Authentication Material||Hunting|
source | version: 1