New AWS account seen assuming a role into AWS account

cloudtrail

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1199-trusted-relationship

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an attacker accesses your AWS account from their AWS Account.

Strategy

This rule lets you monitor AssumeRole (@evt.name:AssumeRole) CloudTrail API calls to detect when an external AWS account (@userIdentity.accountId) assumes a role into your AWS account (account). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.

Triage and response

  1. Determine if the @userIdentity.accountId is an AWS account is managed by your company.
  2. If not, try to determine who is the owner of the AWS account.
  3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.

Changelog

7 April 2022 - Updated rule query and signal message.