Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token, are generated for a user.

Strategy

This rule monitors CloudTrail and detects when any @eventName has a value of GetFederationToken and @eventSource has a value of sts.amazonaws.com. An adversary can maintain persistence within an AWS environment using credentials generated from sts:GetFederationToken, even if the original AWS access keys have been deleted.

Triage & Response

1. Determine if the user {{@userIdentity.arn}} intended to generate a federated token for the observed federated user(s).
2. If {{@userIdentity.arn}} didn’t intend to generate the federated token:
   • Completely remove all permissions of the compromised IAM user, as simply disabling the access key used to issue the session is not enough for containment OR
   • Attach an explicit deny-all IAM policy to the compromised IAM user as this will take precedence over all allow statements.
   • Follow AWS’ recommendation on How to revoke federated users’ active AWS sessions.
3. Investigate other activities performed by the user {{@userIdentity.arn}} and the observed federated user(s) using the Cloud SIEM - User Investigation dashboard.
4. Begin your organization’s incident response process and investigate.
5. Consider the usage of temporary credentials over long-lived credentials associated with IAM users. This prevents the usage of long-lived AWS Access keys which are required for creating federated sessions from IAM users.