Temporary AWS security credentials generated for user
Goal
Detect when a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token, are generated for a user.
Strategy
This rule monitors CloudTrail and detects when any @eventName
has a value of GetFederationToken
and @eventSource
has a value of sts.amazonaws.com
. An adversary can maintain persistence within an AWS environment using credentials generated from sts:GetFederationToken
, even if the original AWS access keys have been deleted.
Triage & Response
- Determine if the user
{{@userIdentity.arn}}
intended to generate a federated token for the observed federated user(s). - If
{{@userIdentity.arn}}
didn’t intend to generate the federated token:- Completely remove all permissions of the compromised IAM user, as simply disabling the access key used to issue the session is not enough for containment OR
- Attach an explicit deny-all IAM policy to the compromised IAM user as this will take precedence over all allow statements.
- Follow AWS’ recommendation on
How to revoke federated users’ active AWS sessions
.
- Investigate other activities performed by the user
{{@userIdentity.arn}}
and the observed federated user(s) using the Cloud SIEM - User Investigation dashboard. - Begin your organization’s incident response process and investigate.
- Consider the usage of temporary credentials over long-lived credentials associated with IAM users. This prevents the usage of long-lived AWS Access keys which are required for creating federated sessions from IAM users.
Changelog
- 06 Nov 2024 - Rule query and severity updated.