New AWS account seen assuming a role into AWS account
Goal
Detect when an attacker accesses your AWS account from their AWS Account.
Strategy
This rule lets you monitor AssumeRole (@evt.name:AssumeRole
) CloudTrail API calls to detect when an external AWS account (@userIdentity.accountId
) assumes a role into your AWS account (account
). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.
Triage and response
- Determine if the
@userIdentity.accountId
is an AWS account is managed by your company. - If not, try to determine who is the owner of the AWS account.
- Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.
Changelog
7 April 2022 - Updated rule query and signal message.