New AWS account seen assuming a role into AWS account

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an attacker accesses your AWS account from their AWS Account.

Strategy

This rule lets you monitor AssumeRole (@evt.name:AssumeRole) CloudTrail API calls to detect when an external AWS account (@userIdentity.accountId) assumes a role into your AWS account (account). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.

Triage and response

  1. Determine if the @userIdentity.accountId is an AWS account is managed by your company.
  2. If not, try to determine who is the owner of the AWS account.
  3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.

Changelog

7 April 2022 - Updated rule query and signal message.