AWS IAM Roles Anywhere Profile Creation
Detection of AWS IAM Roles Anywhere profile creation, potentially indicating an adversary establishing persistence or escalating privileges through rogue trust anchors to gain long-term external access.
AWS IAM Roles Anywhere enables external workloads to assume IAM roles securely, using certificates from trusted anchors. A profile links IAM roles to trust anchors and defines session duration. This detection identifies the "CreateProfile" API call, which adversaries may use to create or modify profiles, linking them with highly privileged roles or unauthorized trust anchors. This allows for long-term external access to the AWS environment. The rule focuses on successful 'CreateProfile' API calls. It is important to monitor profile creation to ensure that only approved roles and trust anchors are in use. This activity can lead to persistence and privilege escalation.
Attack Chain
- The adversary compromises an external system or obtains unauthorized access to a trusted certificate authority.
- The adversary establishes a rogue trust anchor within AWS IAM Roles Anywhere, representing the compromised CA or external system.
- The attacker leverages the
CreateProfileAPI call to create a new IAM Roles Anywhere profile. - The profile is configured to associate the rogue trust anchor with one or more IAM roles. The
roleArnsparameter within therequest_parametersshould be closely monitored for excessive permissions. - The adversary sets a long
durationSecondsfor the profile, maximizing the window of opportunity for assuming roles. - The attacker uses the
AssumeRoleWithCertificateAPI call, presenting a valid certificate issued by the compromised CA, to assume an IAM role associated with the newly created profile. - The assumed role is then used to perform unauthorized actions within the AWS environment, such as accessing sensitive data, modifying infrastructure, or deploying malicious code.
- The adversary maintains persistent access to the AWS environment through the compromised trust anchor and associated profile, enabling long-term control.
Impact
Successful exploitation can grant unauthorized external access to the AWS environment. This may lead to data breaches, service disruption, or the deployment of malicious infrastructure. While the source provides no specific numbers, the impact depends on the privileges associated with the assumed roles and the extent of the adversary's lateral movement within the AWS environment. Compromised Roles Anywhere profiles can provide persistent access, making detection and remediation critical.
Recommendation
- Deploy the Sigma rule
AWS IAM Roles Anywhere Profile Creationto your SIEM and tune for your environment to detect unauthorized profile creation events. - Restrict
rolesanywhere:CreateProfileAPI calls to a small set of administrative roles within your AWS environment to prevent unauthorized profile creation. - Implement AWS Config or Security Hub controls to alert on unauthorized or overly permissive Roles Anywhere profiles, as mentioned in the overview section.
- Review IAM role trust policies linked to external anchors, ensuring adherence to the principle of least privilege to minimize the impact of compromised profiles.
Detection coverage 2
AWS IAM Roles Anywhere Profile Creation
lowDetects the creation of a new AWS IAM Roles Anywhere profile.
AWS IAM Roles Anywhere Profile Creation by Unusual Identity
mediumDetects the creation of a new AWS IAM Roles Anywhere profile by an identity not typically associated with IAM management.
Detection queries are available on the platform. Get full rules →