Suspicious AWS IAM API Calls via Temporary Session Tokens
This detection rule identifies suspicious AWS IAM API operations performed using temporary session credentials (access keys starting with ASIA) that are not sourced from console logins, indicating potential credential theft, session hijacking, or abuse of privileged temporary credentials by an attacker for persistence, privilege escalation, or defense evasion within the AWS environment.
This brief details detection of suspicious AWS Identity and Access Management (IAM) API operations executed using temporary session credentials, characterized by access key IDs beginning with "ASIA". These temporary credentials are typically generated by services like sts:GetSessionToken, sts:AssumeRole, or AWS SSO logins and are intended for short-term, programmatic use. It is highly unusual for legitimate users or automated processes to perform privileged IAM actions, such as creating users, updating policies, or managing multi-factor authentication (MFA), directly with these short-lived tokens. Such activity may signal credential theft, session hijacking, or the abuse of temporary credentials associated with a privileged role, enabling an attacker to establish persistence, escalate privileges, or disable security protections within an AWS environment. The detection specifically excludes legitimate console login sessions, significantly reducing false positives.
Attack Chain
- Initial Access: An attacker gains initial access to an AWS environment, often through compromised long-term credentials (e.g., IAM user access keys, compromised AWS SSO accounts) obtained via phishing, malware, or exposed secrets.
- Credential Access: Using the compromised long-term credentials, the attacker authenticates to AWS.
- STS Token Generation: The attacker generates temporary session credentials (access keys starting with "ASIA") via AWS Security Token Service (STS) calls like
sts:GetSessionTokenorsts:AssumeRole. This allows them to blend in with normal programmatic activity. - Privileged IAM Action: The attacker immediately utilizes these temporary session tokens to perform sensitive IAM API operations. Examples include
iam:CreateAccessKeyfor a new backdoor user,iam:PutUserPolicyto elevate permissions, oriam:UpdateAssumeRolePolicyto modify trust relationships for privilege escalation. - Persistence Established: By creating new access keys, modifying existing policies, or altering role trust policies, the attacker establishes persistent access to the AWS environment.
- Privilege Escalation: The newly created or modified IAM entities grant the attacker higher-level permissions than their initial access, allowing them to expand control.
- Impact: The attacker proceeds to achieve their ultimate objective, which could include data exfiltration, resource manipulation, infrastructure disruption, or cryptomining, leveraging their escalated privileges.
Impact
Successful exploitation of temporary session token abuse can lead to severe consequences for an AWS environment. Attackers can establish persistent access by creating new backdoor users or modifying existing IAM policies, enabling continued unauthorized operations. They can escalate privileges to gain control over critical resources, disable security mechanisms like MFA for other accounts, and exfiltrate sensitive data or deploy malicious resources such as cryptominers. The primary impact includes unauthorized data access, resource compromise, and potential financial losses due to resource misuse or regulatory fines stemming from data breaches.
Recommendation
- Deploy the Sigma rule "AWS IAM API Calls via Temporary Session Tokens" to your SIEM and tune for your environment to detect unusual IAM API calls via temporary session tokens.
- Enable AWS CloudTrail logging for all management events and data events, ensuring
iam.amazonaws.comevents are captured for detection by the provided Sigma rule. - Review
aws.cloudtrail.user_identity.arnandaws.cloudtrail.user_identity.typefields for any alerts generated by the Sigma rule to identify the originating user or role. - Examine
aws.cloudtrail.user_identity.session_context.mfa_authenticatedwhen investigating alerts, as an absence of MFA authentication may indicate token misuse. - Inspect
source.ipanduser_agent.originalfor any detected activity to identify unexpected origins or tools. - If unauthorized activity is confirmed, immediately revoke the temporary session by invalidating the associated IAM credentials as described in the investigation guide.
- Require MFA for all privileged actions using
aws:MultiFactorAuthPresentconditions in IAM policies to prevent future abuse of compromised credentials.
Detection coverage 1
AWS IAM API Calls via Temporary Session Tokens
highDetects sensitive AWS IAM API operations executed using temporary session credentials (access key IDs beginning with ASIA) that are not from console logins. This may indicate credential theft, session hijacking, or abuse of privileged role's temporary credentials for persistence or privilege escalation.
Detection queries are available on the platform. Get full rules →