Skip to content

[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens #4901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+26 −10
Open

[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens #4901

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 26 additions & 10 deletions rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,19 @@
creation_date = "2025/04/16"
integration = ["aws"]
maturity = "production"
updated_date = "2025/04/16"
updated_date = "2025/07/10"

[rule]
author = ["Elastic"]
description = """
Detects use of sensitive AWS STS or IAM API operations using temporary credentials (session tokens starting with 'ASIA').
This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.
Detects use of sensitive AWS IAM API operations using temporary credentials (session tokens starting with 'ASIA'). This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.
"""
false_positives = [
"""
Some CI/CD pipelines or administrative users may use session tokens. Review user context, IP, and timing to validate.
""",
]
from = "now-9m"
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
Expand All @@ -29,15 +28,15 @@ This rule detects sensitive IAM API operations performed using temporary AWS cre

#### Possible investigation steps:

- Review aws.cloudtrail.user_identity.arn to determine which IAM user or assumed role initiated the request.
- Check aws.cloudtrail.user_identity.access_key_id to confirm if the credential starts with 'ASIA', indicating a temporary session token.
- Examine aws.cloudtrail.user_identity.session_context.mfa_authenticated to verify whether MFA was present during session creation.
- Investigate source.ip to assess whether the request originated from a known network, office IP, or corporate VPN.
- Look at user_agent.original to determine if the API call came from a known CLI version or unexpected tool (e.g., unknown SDK, custom script).
- Review `aws.cloudtrail.user_identity.arn` to determine which IAM user or assumed role initiated the request.
- Check `aws.cloudtrail.user_identity.access_key_id` to confirm if the credential starts with 'ASIA', indicating a temporary session token.
- Examine `aws.cloudtrail.user_identity.session_context.mfa_authenticated` to verify whether MFA was present during session creation.
- Investigate `source.ip` to assess whether the request originated from a known network, office IP, or corporate VPN.
- Look at `user_agent.original` to determine if the API call came from a known CLI version or unexpected tool (e.g., unknown SDK, custom script).
- Confirm whether a recent sts:GetSessionToken, sts:AssumeRole, or AWS SSO login event issued the temporary credential.
- Correlate other events using the same access key ID to identify additional privileged actions, such as iam:CreateAccessKey, iam:PutUserPolicy, or iam:EnableMFADevice.
- Analyze timing via @timestamp to determine if the action occurred during off-hours or deviates from normal user behavior.
- Review the event.outcome to check if the API call was successful or failed, which may indicate unauthorized access attempts.
- Review the `event.outcome` to check if the API call was successful or failed, which may indicate unauthorized access attempts.
- Check for related events in the same session, such as iam:CreateUser, iam:AttachUserPolicy, or sts:GetCallerIdentity, to identify potential lateral movement or privilege escalation.

### False positive analysis:
Expand Down Expand Up @@ -77,10 +76,27 @@ type = "new_terms"
query = '''
event.dataset: aws.cloudtrail
and event.provider: ("iam.amazonaws.com")
and event.outcome: "success"
and aws.cloudtrail.user_identity.type: "IAMUser"
and aws.cloudtrail.user_identity.access_key_id: ASIA*
'''

[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters"
]

[[rule.threat]]
framework = "MITRE ATT&CK"

Expand Down
Loading