AWS IAM Roles Anywhere trust anchor created

Goal

Detect when an IAM Roles Anywhere trust anchor is created.

Strategy

This rule monitors CloudTrail logs for CreateTrustAnchor API calls. An attacker may attempt to establish persistence by creating an IAM Roles Anywhere trust anchor. The IAM Roles Anywhere service allows workloads that do not run in AWS to assume roles by presenting a client-side X.509 certificate signed by a trusted certificate authority, called a “trust anchor”.

Triage & response

  1. Determine if the API call: {{@evt.name}} should have been performed by the user: {{@userIdentity.arn}}:
    • Contact the user to confirm if they made the API call.
  2. If the API call was not made by the user:
    • Rotate the user credentials.
    • Determine what actions the user took and which new access keys the user created.
    • Begin your organization’s incident response process and investigate.
  3. If the API call was made legitimately by the user:
    • Confirm if an IAM Roles Anywhere trust anchor is the proper authentication mechanism for the resource.