Anomalous number of assumed roles from user

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user has attempted to assume an anomalous number of unique roles.

Strategy

This rule sets a baseline for user activity for the AssumeRole API call, and enables detection of potentially anomalous activity.

An attacker may attempt this for the following reasons:

  • To identify which roles the user account has access to.
  • To identify what AWS services are being used internally.
  • To identify third party integrations and internal software.

Triage and response

  1. Investigate activity for the following ARN {{@userIdentity.arn}} using {{@userIdentity.session_name}}.
  2. Review any other security signals for {{@userIdentity.arn}}.
  3. If the activity is deemed malicious:
    • Rotate user credentials.
    • Determine what other API calls were made by the user.
    • Begin your organization’s incident response process and investigate.
PREVIEWING: esther/docs-9478-fix-split-after-example