Temporary AWS security credentials generated for user

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token, are generated for a user.

Strategy

This rule monitors CloudTrail and detects when any @eventName has a value of GetFederationToken and @eventSource has a value of sts.amazonaws.com. An adversary can maintain persistence within an AWS environment using credentials generated from sts:GetFederationToken, even if the original AWS access keys have been deleted.

Triage & Response

  1. Determine if the user {{@userIdentity.arn}} intended to generate a federated token for the observed federated user(s).
  2. If {{@userIdentity.arn}} didn’t intend to generate the federated token:
    • Completely remove all permissions of the compromised IAM user, as simply disabling the access key used to issue the session is not enough for containment OR
    • Attach an explicit deny-all IAM policy to the compromised IAM user as this will take precedence over all allow statements.
    • Follow AWS’ recommendation on How to revoke federated users’ active AWS sessions.
  3. Investigate other activities performed by the user {{@userIdentity.arn}} and the observed federated user(s) using the Cloud SIEM - User Investigation dashboard.
  4. Begin your organization’s incident response process and investigate.
  5. Consider the usage of temporary credentials over long-lived credentials associated with IAM users. This prevents the usage of long-lived AWS Access keys which are required for creating federated sessions from IAM users.

Changelog

  • 06 Nov 2024 - Rule query and severity updated.
PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc