AWS STS Role Chaining for Privilege Escalation and Persistence
AWS STS role chaining, where one assumed role is used to assume another, can lead to privilege escalation or persistence by refreshing session tokens, triggering alerts on the first observed role assumption based on CloudTrail logs.
This threat brief addresses the potential abuse of AWS STS role chaining. Role chaining is a legitimate AWS feature where an assumed role is used to assume another role through the AWS CLI or API. However, malicious actors can exploit this functionality to escalate privileges if the second assumed role has broader permissions than the initial role. The chaining can also be used as a persistence mechanism since each AssumeRole action results in a refreshed session token with a maximum duration of one hour. This activity is detected by monitoring CloudTrail logs for the first occurrence of a role (identified by aws.cloudtrail.user_identity.session_context.session_issuer.arn) assuming another role (aws.cloudtrail.resources.arn). Detection focuses on identifying novel role-chaining relationships to highlight potentially unauthorized activity.
Attack Chain
- An attacker gains initial access to an AWS account, possibly through compromised credentials or an exposed access key.
- The attacker uses the compromised credentials to assume an initial IAM role using
sts:AssumeRole. This action is logged in CloudTrail with theAssumeRoleevent. - The attacker then uses the temporary credentials obtained from the first role to assume a second IAM role, again using
sts:AssumeRole. Theaws.cloudtrail.user_identity.session_context.session_issuer.arnfield identifies the first role, and theaws.cloudtrail.resources.arnfield identifies the second role. - If the second role has more permissions than the first, the attacker can use the second role's credentials to perform actions they couldn't do before (privilege escalation). This could involve actions related to IAM, EC2, S3 or other AWS services.
- The attacker leverages the increased permissions to access sensitive data stored in S3 buckets, modify IAM policies to grant themselves further access, or launch EC2 instances for malicious purposes.
- Each AssumeRole action generates new temporary credentials, effectively refreshing the attacker's session.
- The attacker maintains persistence within the AWS environment by repeatedly chaining roles to refresh temporary credentials.
- The attacker achieves their objective, such as exfiltrating sensitive data, deploying malware, or disrupting services.
Impact
Successful exploitation via role chaining can lead to significant privilege escalation within an AWS environment. This can enable attackers to gain unauthorized access to sensitive data, modify critical infrastructure configurations, and potentially disrupt business operations. The persistence aspect of role chaining can allow attackers to maintain a foothold in the environment for extended periods, making detection and remediation more challenging. The blast radius can extend across multiple AWS accounts if cross-account role chaining is involved.
Recommendation
- Deploy the Sigma rule
Detect AWS STS Role Chainingto identify instances of role chaining in AWS CloudTrail logs. Tune the rule to exclude expected role-chaining patterns based on your environment (aws.cloudtrail.user_identity.session_context.session_issuer.arn,aws.cloudtrail.resources.arn). - Monitor CloudTrail logs for
AssumeRoleevents whereaws.cloudtrail.user_identity.typeisAssumedRole, focusing on unusual or unexpected role combinations. - Implement least privilege policies for all IAM roles, limiting trust policies to only required principals. Periodically review role chaining patterns to validate necessity.
- Use the
AWS STS Role ChainingSigma rule to identify potential role chaining attempts and investigate accordingly. - Correlate CloudTrail logs with other security events (e.g., GuardDuty alerts) to identify potential privilege escalation or data exfiltration activities following role chaining.
- Enable MFA where possible on
AssumeRoleoperations.
Detection coverage 2
Detect AWS STS Role Chaining
mediumDetects AWS STS role chaining by identifying AssumeRole events where the user identity type is AssumedRole, indicating that the caller is another role.
Detect Cross-Account AWS STS Role Chaining
mediumDetects AWS STS role chaining across different AWS accounts by identifying AssumeRole events where the recipient account ID differs from the resources account ID.
Detection queries are available on the platform. Get full rules →