AWS STS GetCallerIdentity API Called for the First Time

The AWS Security Token Service (STS) GetCallerIdentity API allows a user to retrieve information about the IAM user or role associated with the credentials being used. While a legitimate user should already know the account they are operating in, an attacker with compromised credentials may use this API to verify the validity of the credentials and enumerate account details. This activity, especially when observed for the first time from a particular user identity, can indicate malicious reconnaissance. This detection focuses on identifying the initial use of the GetCallerIdentity API, excluding instances where an assumed role is involved due to the common practice of using GetCallerIdentity after assuming a role. This event is flagged as anomalous, potentially signaling unauthorized access or credential misuse within an AWS environment.

Attack Chain

1. An attacker gains unauthorized access to AWS credentials, either through phishing, credential stuffing, or compromised systems.
2. The attacker uses the compromised credentials to authenticate to the AWS environment.
3. The attacker executes the sts:GetCallerIdentity API call to identify the associated AWS account ID, IAM user, or role.
4. The AWS STS service processes the request and returns the identity information to the attacker.
5. The attacker analyzes the returned identity information to understand the scope and privileges of the compromised credentials.
6. The attacker uses the gathered information to perform further reconnaissance activities, such as identifying accessible resources and services.
7. Based on the discovered information, the attacker may attempt to escalate privileges or move laterally within the AWS environment.
8. The final objective could include data exfiltration, deployment of malicious workloads, or disruption of services.

Impact

Successful exploitation and undetected reconnaissance can lead to significant damage, including unauthorized access to sensitive data, compromised workloads, and disruption of critical services. The impact can range from data breaches and financial losses to reputational damage and regulatory fines. Depending on the scope of the compromised credentials, the attacker may be able to access and control a large portion of the AWS environment. In the event of a breach, the organization may incur costs related to incident response, data recovery, and legal settlements.

Recommendation

• Deploy the Sigma rule “AWS STS GetCallerIdentity API Called for the First Time by New Identity” to your SIEM and tune for your environment to detect anomalous usage of the GetCallerIdentity API.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the source IP address, user agent, and the user identity associated with the API call.
• Review IAM permission policies for the user identity associated with the GetCallerIdentity API call to ensure the least privilege principle is followed.
• Enable AWS CloudTrail logging for all AWS regions in your account to ensure comprehensive event logging, as required by the detection rule.
• Consider adding exceptions based on user.id or aws.cloudtrail.user_identity.arn values for automation workflows that legitimately rely on the GetCallerIdentity API, as mentioned in the overview.
• Implement multi-factor authentication (MFA) for all IAM users to mitigate the risk of credential compromise, as suggested in the documentation.