Indications of malicious trust anchor creation

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a trust anchor and profile are created using AWS IAM Roles Anywhere by the same identity.

Strategy

This rule lets you monitor CloudTrail logs for CreateTrustAnchor and CreateProfile events using AWS IAM Roles Anywhere.

The IAM Roles Anywhere service allows workloads that do not run in AWS to assume roles by presenting a client-side X.509 certificate signed by a trusted certificate authority, represented as a trust anchor. An attacker creating a trust anchor can subsequently assume IAM roles that have a trust policy with IAM Roles Anywhere.

Triage and response

  1. Determine if the user, {{@userIdentity.arn}}, should be generating a new trust anchor.
  2. Investigate the user behavior and access information:
    • Review the user agent, IP address, and other identifying information for evidence of an abnormal access.
    • Look at additional events, such as {{@userIdentity.arn}} and {{@userIdentity.accessKeyId}} triggering CreateSession during the surrounding timeframe. The related events can be searched for in Roles Anywhere logs: @eventSource:rolesanywhere.amazonaws.com.
  3. If the behavior is abnormal for the user and your environment:
    • Rotate the credentials.
    • Investigate if the same credentials took other unauthorized actions.
    • Begin your company’s IR process and investigate.

References