AWS IAM Roles Anywhere Profile Creation
Adversaries may create new AWS IAM Roles Anywhere profiles via the 'CreateProfile' API call to establish persistence or escalate privileges within an AWS environment by linking highly privileged roles to a rogue trust anchor, facilitating long-term external access.
This brief details the detection of AWS IAM Roles Anywhere profile creation, a technique adversaries can use to establish persistent access or escalate privileges within an AWS environment. AWS IAM Roles Anywhere enables external workloads and systems to assume IAM roles by authenticating with trusted certificate authorities (CAs), known as trust anchors. Attackers who have compromised or established a rogue trust anchor can leverage the CreateProfile API call to define new profiles. These profiles can then be linked to highly privileged IAM roles, granting long-term external access to the AWS infrastructure. Monitoring the creation of such profiles is crucial for identifying unauthorized access configurations and mitigating potential threats to cloud resources. This activity indicates a potential post-compromise action aimed at maintaining control or expanding access.
Attack Chain
- An adversary gains initial access to an AWS account, compromising an IAM user or role with permissions to create or modify AWS IAM Roles Anywhere configurations.
- The adversary establishes or leverages an existing rogue trusted certificate authority (Trust Anchor) within the AWS environment, often through prior compromise or misconfiguration.
- The adversary invokes the
rolesanywhere:CreateProfileAPI call to define a new Roles Anywhere profile, indicating an intent to establish a new external access vector. - During profile creation, the adversary configures the new profile to link the rogue
trustAnchorArnand specifies one or more highly privilegedroleArnsto be assumed. - The adversary sets an extended
durationSecondsfor the session, allowing for prolonged external access without repeated authentication. - Using a certificate issued by the rogue trust anchor, the adversary calls the
sts:AssumeRoleWithCertificateAPI, leveraging the newly created profile. - The adversary successfully assumes the highly privileged IAM roles, gaining persistent external access and escalating their privileges within the AWS environment.
- With elevated access, the adversary can then perform actions such as data exfiltration, resource modification, or further compromise of the AWS infrastructure.
Impact
Successful exploitation of AWS IAM Roles Anywhere profile creation leads to unauthorized, persistent, and potentially highly privileged external access to an organization's AWS environment. This can result in severe consequences, including data breaches, unauthorized modification or deletion of critical resources, service disruption, and the ability for attackers to further extend their foothold within the cloud infrastructure. The impact is significant as it provides a stealthy and durable mechanism for adversaries to maintain control, bypassing traditional IAM user/role authentication mechanisms and making detection and remediation challenging without specific monitoring.
Recommendation
- Deploy the Sigma rule
AWS IAM Roles Anywhere Profile Creationto your SIEM and tune for your environment. - Enable AWS CloudTrail logging with data events for all services to capture
CreateProfileAPI calls. - Review
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.access_key_idfields in your CloudTrail logs to identify the actor responsible for profile creation. - Investigate
aws.cloudtrail.request_parametersfields, specificallyprofileName,roleArns,trustAnchorArn, anddurationSeconds, to ensure profile configurations are legitimate and adhere to the principle of least privilege. - Correlate
CreateProfileevents with other AWS CloudTrail activities such asCreateTrustAnchor,CreateRole,PutRolePolicy,AttachRolePolicy, andAssumeRoleWithCertificateto identify a broader attack pattern. - Restrict
rolesanywhere:CreateProfilepermissions to a minimal set of administrative roles using IAM policies. - Implement AWS Config or Security Hub controls to continuously monitor for and alert on unauthorized or overly permissive Roles Anywhere profiles.
Detection coverage 1
AWS IAM Roles Anywhere Profile Creation
highDetects the creation of a new AWS IAM Roles Anywhere profile, which adversaries can use to establish persistence or escalate privileges within an AWS environment.
Detection queries are available on the platform. Get full rules →