AWS STS Role Assumption by Service for Privilege Escalation
Detection of AWS services assuming roles within AWS Security Token Service (STS) to gain temporary credentials and potentially escalate privileges or move laterally within the AWS environment.
This threat brief focuses on the abuse of AWS Security Token Service (STS) AssumeRole functionality by AWS services, as highlighted by an Elastic detection rule. The rule identifies instances where services such as EC2, Lambda, RDS, and others assume roles to obtain temporary credentials. While legitimate for standard operations, adversaries can exploit this behavior to escalate privileges or move laterally within an AWS environment. The technique involves leveraging existing service identities to gain access to resources beyond their intended scope. This rule is designed to detect anomalous or unauthorized role assumptions. The referenced detection rule was last updated on 2026-04-10 and analyzes AWS CloudTrail logs.
Attack Chain
- An attacker gains initial access to an AWS service, such as an EC2 instance, through methods like exploiting a vulnerable application running on the instance.
- The attacker leverages the compromised service's existing IAM role or configurations.
- The attacker uses the AWS STS AssumeRole API, using a service like EC2 or Lambda, to assume a different, more privileged role within the AWS environment.
- The
AssumeRolerequest includes the target role ARN (aws.cloudtrail.resources.arn) and a session name (aws.cloudtrail.flattened.request_parameters.roleSessionName), if available. - AWS STS validates the request based on IAM policies associated with the involved roles.
- If successful, AWS STS provides temporary credentials, including an access key ID, secret access key, and session token (
aws.cloudtrail.flattened.response_elements.credentials.accessKeyId). - The attacker uses the acquired temporary credentials to perform unauthorized actions, such as accessing sensitive data or modifying critical infrastructure.
- The attacker moves laterally by assuming other roles or accessing other resources within the AWS environment, escalating their privileges to achieve their objectives.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, modification or deletion of critical infrastructure, and overall compromise of the AWS environment. The risk score associated with this behavior is 21, indicating a moderate level of potential damage. Lateral movement allows the attacker to expand their reach within the environment, potentially impacting multiple services and data stores. Organizations in any sector utilizing AWS services are potentially at risk.
Recommendation
- Deploy the Sigma rule "AWS Service Assuming Privileged Role" to detect unusual role assumption activities, focusing on the
aws.cloudtrail.user_identity.invoked_byandaws.cloudtrail.resources.arnfields. - Investigate any alerts triggered by the Sigma rule, paying close attention to the user agent (
user_agent.original) and the assumed role's permissions. - Enable AWS CloudTrail logging and ensure the logs are being ingested into your SIEM to provide the necessary data for the detection rules.
- Create a baseline of legitimate role assumption activities by services in your environment to reduce false positives and improve the accuracy of the detection.
Detection coverage 2
AWS Service Assuming Privileged Role
mediumDetects when an AWS service assumes a role, potentially indicating privilege escalation or lateral movement.
AWS STS AssumeRole with Uncommon User Agent
lowDetects AssumeRole calls made with unusual user agents, which can indicate malicious tools or activity.
Detection queries are available on the platform. Get full rules →