Anomalous number of assumed roles from user
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a user has attempted to assume an anomalous number of unique roles.
Strategy
This rule sets a baseline for user activity for the AssumeRole
API call, and enables detection of potentially anomalous activity.
An attacker may attempt this for the following reasons:
- To identify which roles the user account has access to.
- To identify what AWS services are being used internally.
- To identify third party integrations and internal software.
Triage and response
- Investigate activity for the following ARN
{{@userIdentity.arn}}
using {{@userIdentity.session_name}}
. - Review any other security signals for
{{@userIdentity.arn}}
. - If the activity is deemed malicious:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Begin your organization’s incident response process and investigate.