New AWS account seen assuming a role into AWS account

Goal

Detect when an attacker accesses your AWS account from their AWS Account.

Strategy

This rule lets you monitor AssumeRole (@evt.name:AssumeRole) CloudTrail API calls to detect when an external AWS account (@userIdentity.accountId) assumes a role into your AWS account (account). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.

Triage and response

  1. Determine if the @userIdentity.accountId is an AWS account is managed by your company.
  2. If not, try to determine who is the owner of the AWS account.
  3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.

Changelog

7 April 2022 - Updated rule query and signal message.