AWS IAM Assume Role Policy Brute Force Attack
Detection of brute force attacks against AWS IAM roles by identifying multiple failed AssumeRole attempts using CloudTrail logs, potentially leading to unauthorized access and resource compromise.
This detection focuses on identifying potential brute force attacks targeting AWS IAM roles. The attack involves adversaries attempting to guess valid role names in order to gain unauthorized access to AWS resources. By monitoring AWS CloudTrail logs for patterns of failed AssumeRole API calls, specifically those resulting in MalformedPolicyDocumentException errors, it is possible to identify suspicious activity indicative of a brute force attack. This analytic excludes known legitimate AWS service accounts to reduce false positives. The successful compromise of an IAM role can lead to privilege escalation, data exfiltration, and other malicious activities within the AWS environment. The detection is based on Amazon Security Lake events and requires ingesting CloudTrail logs.
Attack Chain
- Initial Access: The attacker attempts to assume an AWS IAM role using the
AssumeRoleAPI. - Role Enumeration: The attacker makes repeated
AssumeRolerequests, each time guessing a different role name. - Access Denied: Due to incorrect role names or policies, the
AssumeRolerequests fail, resulting inMalformedPolicyDocumentExceptionerrors with anAccessDeniedstatus. - CloudTrail Logging: AWS CloudTrail logs each failed
AssumeRoleattempt, capturing details such as the user ID, source IP address, and API operation. - Brute Force Threshold: The attacker continues attempting different role names until a predefined threshold of failed attempts is reached (e.g., 3 failures within an hour).
- Successful AssumeRole (if applicable): If the attacker successfully guesses a valid role name and satisfies the policy requirements, the
AssumeRoleAPI call succeeds, granting the attacker temporary credentials for the target role. - Privilege Escalation: The attacker uses the assumed role's credentials to access AWS resources and perform actions beyond their originally authorized permissions.
- Data Exfiltration / Resource Compromise: Depending on the compromised role's permissions, the attacker may exfiltrate sensitive data, modify infrastructure configurations, or deploy malicious workloads.
Impact
A successful IAM role brute force attack can lead to significant damage, including unauthorized access to sensitive data, modification or deletion of critical AWS resources, and potential disruption of business operations. The impact is highly dependent on the permissions associated with the compromised IAM role. If an attacker gains access to a role with broad privileges, the entire AWS environment could be at risk.
Recommendation
- Deploy the provided Sigma rules to your SIEM and tune for your environment, focusing on known good source IP ranges or trusted user groups (
actor.user.uid) to reduce false positives. - Investigate users (
actor.user.uid) triggering the detection, focusing on unusual source IP addresses (src_endpoint.ip) or user agents (http_request.user_agent). - Implement multi-factor authentication (MFA) for all IAM users to mitigate credential-based attacks.
- Review and harden IAM role policies to limit the impact of successful role assumption.
- Monitor CloudTrail logs for other suspicious API calls following a successful
AssumeRoleevent. - Investigate the references provided for more information on AWS IAM Assume Role vulnerabilities.
Detection coverage 1
AWS IAM Assume Role Brute Force Detection
highDetects potential brute force attacks against AWS IAM roles by identifying multiple failed AssumeRole attempts.
Detection queries are available on the platform. Get full rules →