Anomalous number of assumed roles from user
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a user has attempted to assume an anomalous number of unique roles.
Strategy
This rule sets a baseline for user activity for the AssumeRole
API call, and enables detection of potentially anomalous activity.
An attacker may attempt this for the following reasons:
- To identify which roles the user account has access to.
- To identify what AWS services are being used internally.
- To identify third party integrations and internal software.
Triage and response
- Investigate activity for the following ARN
{{@userIdentity.arn}}
using {{@userIdentity.session_name}}
. - Review any other security signals for
{{@userIdentity.arn}}
. - If the activity is deemed malicious:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Begin your organization’s incident response process and investigate.