Skip to content
Threat Feed
low advisory

AWS IAM API Calls via Temporary Session Tokens

Detection of AWS IAM API operations using temporary session credentials, indicating potential credential theft, session hijacking, or privileged role abuse for persistence and defense evasion.

This threat brief focuses on detecting the abuse of temporary session tokens within AWS environments. Temporary session tokens, identified by access key IDs starting with "ASIA," are commonly issued via sts:GetSessionToken, sts:AssumeRole, or AWS SSO logins. While legitimate for short-term use, their use for privileged IAM actions like creating users, updating policies, or modifying trust relationships is unusual and indicative of malicious activity. Attackers might leverage compromised IAM users or roles to obtain these session tokens and perform unauthorized actions, aiming for persistence, privilege escalation, or defense evasion. This detection excludes console login sessions to reduce false positives, focusing on programmatic abuse.

Attack Chain

  1. An attacker compromises an IAM user or role within an AWS environment.
  2. The attacker uses the compromised credentials to request a temporary session token via sts:GetSessionToken or sts:AssumeRole.
  3. The attacker authenticates to the AWS API using the temporary session token (access key ID starting with ASIA).
  4. The attacker attempts to create a new IAM user using the CreateUser API call.
  5. The attacker attempts to modify an existing IAM user's policy using the PutUserPolicy API call.
  6. The attacker attempts to update the AssumeRolePolicy associated with an IAM role.
  7. The attacker may also attempt to modify CloudTrail or GuardDuty configurations for defense evasion.
  8. The attacker achieves persistence by creating new administrative users or roles, or by modifying existing permission policies.

Impact

Successful exploitation can allow attackers to establish persistent access within the AWS environment, escalate privileges to gain broader control, and evade detection by modifying security configurations. The impact includes unauthorized access to sensitive data, potential data breaches, and disruption of cloud services. While the specific number of victims or sectors targeted is unknown, organizations heavily reliant on AWS infrastructure are most at risk.

Recommendation

  • Deploy the AWS IAM API Calls via Temporary Session Tokens rule to detect suspicious API calls made with temporary session tokens. Tune the rule based on expected usage patterns within your environment.
  • Investigate all alerts generated by the rule, focusing on actions that modify IAM roles, user policies, and trust relationships, as described in the rule's investigation_fields.
  • Enforce MFA for all privileged IAM actions using aws:MultiFactorAuthPresent conditions to mitigate the risk of session token abuse, as mentioned in the rule's note.
  • Implement detection coverage for follow-on persistence actions such as iam:CreateAccessKey, iam:PutUserPolicy, and iam:UpdateAssumeRolePolicy, as recommended in the rule's note.

Detection coverage 3

AWS IAM CreateUser API Call via Temporary Session Token

medium

Detects the creation of new IAM users via the AWS API using temporary session credentials (access key IDs starting with ASIA), which may indicate unauthorized activity.

sigma tactics: persistence, privilege_escalation techniques: T1078, T1078.004, T1098 sources: webserver, linux

AWS IAM PutUserPolicy API Call via Temporary Session Token

medium

Detects modifications to IAM user policies via the AWS API using temporary session credentials, which may indicate privilege escalation or persistence attempts.

sigma tactics: persistence, privilege_escalation techniques: T1078, T1078.004, T1098 sources: webserver, linux

AWS IAM UpdateAssumeRolePolicy API Call via Temporary Session Token

medium

Detects updates to the AssumeRolePolicy of IAM roles via the AWS API using temporary session credentials, possibly indicating attackers modifying trust relationships for persistence.

sigma tactics: persistence, privilege_escalation techniques: T1078, T1078.004, T1098 sources: webserver, linux

Detection queries are available on the platform. Get full rules →