Temporary AWS security credentials generated for user

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a set of temporary security credentials consisting of an access key ID, a secret access key, and a security token, are generated for a user.

Strategy

This rule monitors CloudTrail and detects when any @eventName has a value of GetFederationToken and @eventSource has a value of sts.amazonaws.com. An adversary can maintain persistence within an AWS environment using credentials generated from sts:GetFederationToken, even if the original AWS access keys have been deleted.

Triage & Response

  1. Determine if the user {{@userIdentity.arn}} intended to generate a federated token for the observed federated user(s).
  2. If {{@userIdentity.arn}} didn’t intend to generate the federated token:
    • Completely remove all permissions of the compromised IAM user, as simply disabling the access key used to issue the session is not enough for containment OR
    • Attach an explicit deny-all IAM policy to the compromised IAM user as this will take precedence over all allow statements.
    • Follow AWS’ recommendation on How to revoke federated users’ active AWS sessions.
  3. Investigate other activities performed by the user {{@userIdentity.arn}} and the observed federated user(s) using the Cloud SIEM - User Investigation dashboard.
  4. Begin your organization’s incident response process and investigate.
  5. Consider the usage of temporary credentials over long-lived credentials associated with IAM users. This prevents the usage of long-lived AWS Access keys which are required for creating federated sessions from IAM users.

Changelog

  • 06 Nov 2024 - Rule query and severity updated.
PREVIEWING: rtrieu/product-analytics-ui-changes