New AWS account seen assuming a role into AWS account
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an attacker accesses your AWS account from their AWS Account.
Strategy
This rule lets you monitor AssumeRole (@evt.name:AssumeRole) CloudTrail API calls to detect when an external AWS account (@userIdentity.accountId) assumes a role into your AWS account (account). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.
Triage and response
- Determine if the
@userIdentity.accountId is an AWS account is managed by your company. - If not, try to determine who is the owner of the AWS account.
- Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.
Changelog
7 April 2022 - Updated rule query and signal message.
