<  Back to rules search

New AWS Account Seen Assuming a Role into AWS Account






Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Detect when an attacker accesses your AWS account from their AWS Account.


This rule lets you monitor AssumeRole (@evt.name:AssumeRole) CloudTrail API calls to detect when an external AWS account (@usr.account_id) assumes a role into your AWS account (account). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.

Triage and response

  1. Determine if the @usr.account_id is an AWS account is managed by your company.
  2. If not, try to determine who is the owner of the AWS account.
  3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.


7 April 2022 - Update rule query and signal message.