Temporary AWS security credentials generated for user

Docs > Plateforme de sécurité Datadog > OOTB Rules > Temporary AWS security credentials generated for user

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token, are generated for a user.

Strategy

This rule monitors CloudTrail and detects when any @eventName has a value of GetFederationToken and @eventSource has a value of sts.amazonaws.com. An adversary can maintain persistence within an AWS environment using credentials generated from sts:GetFederationToken, even if the original AWS access keys have been deleted.

Triage & Response

Determine if the user {{@userIdentity.arn}} intended to generate a federated token for the observed federated user(s).
If {{@userIdentity.arn}} didn’t intend to generate the federated token:
- Completely remove all permissions of the compromised IAM user, as simply disabling the access key used to issue the session is not enough for containment OR
- Attach an explicit deny-all IAM policy to the compromised IAM user as this will take precedence over all allow statements.
- Follow AWS’ recommendation on How to revoke federated users’ active AWS sessions.
Investigate other activities performed by the user {{@userIdentity.arn}} and the observed federated user(s) using the Cloud SIEM - User Investigation dashboard.
Begin your organization’s incident response process and investigate.
Consider the usage of temporary credentials over long-lived credentials associated with IAM users. This prevents the usage of long-lived AWS Access keys which are required for creating federated sessions from IAM users.