Anomalous number of assumed roles from user

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user has attempted to assume an anomalous number of unique roles.

Strategy

This rule sets a baseline for user activity for the AssumeRole API call, and enables detection of potentially anomalous activity.

An attacker may attempt this for the following reasons:

  • To identify which roles the user account has access to.
  • To identify what AWS services are being used internally.
  • To identify third party integrations and internal software.

Triage and response

  1. Investigate activity for the following ARN {{@userIdentity.arn}} using {{@userIdentity.session_name}}.
  2. Review any other security signals for {{@userIdentity.arn}}.
  3. If the activity is deemed malicious:
    • Rotate user credentials.
    • Determine what other API calls were made by the user.
    • Begin your organization’s incident response process and investigate.
PREVIEWING: may/unit-testing