Temporary AWS security credentials generated for user

Goal

Detect when a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token, are generated for a user.

Strategy

This rule monitors CloudTrail and detects when any @eventName has a value of GetFederationToken and @eventSource has a value of sts.amazonaws.com. An adversary can maintain persistence within an AWS environment using credentials generated from sts:GetFederationToken, even if the original AWS access keys have been deleted.

Triage & Response

  1. Determine if the user {{@userIdentity.arn}} intended to generate a federated token for the observed federated user(s).
  2. If {{@userIdentity.arn}} didn’t intend to generate the federated token:
    • Completely remove all permissions of the compromised IAM user, as simply disabling the access key used to issue the session is not enough for containment OR
    • Attach an explicit deny-all IAM policy to the compromised IAM user as this will take precedence over all allow statements.
    • Follow AWS’ recommendation on How to revoke federated users’ active AWS sessions.
  3. Investigate other activities performed by the user {{@userIdentity.arn}} and the observed federated user(s) using the Cloud SIEM - User Investigation dashboard.
  4. Begin your organization’s incident response process and investigate.
  5. Consider the usage of temporary credentials over long-lived credentials associated with IAM users. This prevents the usage of long-lived AWS Access keys which are required for creating federated sessions from IAM users.

Changelog

  • 06 Nov 2024 - Rule query and severity updated.