{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rolesanywhere/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["IAM Roles Anywhere"],"_cs_severities":["low"],"_cs_tags":["aws","iam","rolesanywhere","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAWS IAM Roles Anywhere enables external workloads to assume IAM roles securely, using certificates from trusted anchors. A profile links IAM roles to trust anchors and defines session duration. This detection identifies the \u0026quot;CreateProfile\u0026quot; API call, which adversaries may use to create or modify profiles, linking them with highly privileged roles or unauthorized trust anchors. This allows for long-term external access to the AWS environment. The rule focuses on successful 'CreateProfile' API calls. It is important to monitor profile creation to ensure that only approved roles and trust anchors are in use. This activity can lead to persistence and privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary compromises an external system or obtains unauthorized access to a trusted certificate authority.\u003c/li\u003e\n\u003cli\u003eThe adversary establishes a rogue trust anchor within AWS IAM Roles Anywhere, representing the compromised CA or external system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the \u003ccode\u003eCreateProfile\u003c/code\u003e API call to create a new IAM Roles Anywhere profile.\u003c/li\u003e\n\u003cli\u003eThe profile is configured to associate the rogue trust anchor with one or more IAM roles. The \u003ccode\u003eroleArns\u003c/code\u003e parameter within the \u003ccode\u003erequest_parameters\u003c/code\u003e should be closely monitored for excessive permissions.\u003c/li\u003e\n\u003cli\u003eThe adversary sets a long \u003ccode\u003edurationSeconds\u003c/code\u003e for the profile, maximizing the window of opportunity for assuming roles.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAssumeRoleWithCertificate\u003c/code\u003e API call, presenting a valid certificate issued by the compromised CA, to assume an IAM role associated with the newly created profile.\u003c/li\u003e\n\u003cli\u003eThe assumed role is then used to perform unauthorized actions within the AWS environment, such as accessing sensitive data, modifying infrastructure, or deploying malicious code.\u003c/li\u003e\n\u003cli\u003eThe adversary maintains persistent access to the AWS environment through the compromised trust anchor and associated profile, enabling long-term control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can grant unauthorized external access to the AWS environment. This may lead to data breaches, service disruption, or the deployment of malicious infrastructure. While the source provides no specific numbers, the impact depends on the privileges associated with the assumed roles and the extent of the adversary's lateral movement within the AWS environment. Compromised Roles Anywhere profiles can provide persistent access, making detection and remediation critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS IAM Roles Anywhere Profile Creation\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized profile creation events.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003erolesanywhere:CreateProfile\u003c/code\u003e API calls to a small set of administrative roles within your AWS environment to prevent unauthorized profile creation.\u003c/li\u003e\n\u003cli\u003eImplement AWS Config or Security Hub controls to alert on unauthorized or overly permissive Roles Anywhere profiles, as mentioned in the overview section.\u003c/li\u003e\n\u003cli\u003eReview IAM role trust policies linked to external anchors, ensuring adherence to the principle of least privilege to minimize the impact of compromised profiles.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-08T12:00:00Z","date_published":"2024-05-08T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-aws-iam-roles-anywhere-profile-creation/","summary":"Detection of AWS IAM Roles Anywhere profile creation, potentially indicating an adversary establishing persistence or escalating privileges through rogue trust anchors to gain long-term external access.","title":"AWS IAM Roles Anywhere Profile Creation","url":"https://feed.craftedsignal.io/briefs/2024-05-aws-iam-roles-anywhere-profile-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["IAM Roles Anywhere"],"_cs_severities":["medium"],"_cs_tags":["aws","iam","rolesanywhere","persistence"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAWS IAM Roles Anywhere allows workloads outside AWS to assume IAM roles by presenting X.509 certificates. A trust anchor defines which certificate authority (CA) AWS trusts to validate these external identities. This rule detects when a trust anchor is created using an external CA (\u003ccode\u003esourceType= \u0026quot;CERTIFICATE_BUNDLE\u0026quot; or \u0026quot;SELF_SIGNED_REPOSITORY\u0026quot;\u003c/code\u003e) rather than an ACM-managed CA (\u003ccode\u003esourceType=\u0026quot;AWS_ACM_PCA\u0026quot;\u003c/code\u003e). An adversary establishing persistent external access can exploit this by authenticating using certificates signed by their own CA, even after key rotation. This activity is logged by CloudTrail, and this rule focuses on detecting the \u003ccode\u003eCreateTrustAnchor\u003c/code\u003e event with a non-AWS CA source type, potentially indicating unauthorized federation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an AWS account with sufficient privileges to manage IAM Roles Anywhere.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eCreateTrustAnchor\u003c/code\u003e API to register an external CA as a trusted root for Roles Anywhere. This involves setting the \u003ccode\u003esourceType\u003c/code\u003e to \u003ccode\u003eCERTIFICATE_BUNDLE\u003c/code\u003e or \u003ccode\u003eSELF_SIGNED_REPOSITORY\u003c/code\u003e instead of \u003ccode\u003eAWS_ACM_PCA\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates an IAM Roles Anywhere profile, associating it with the newly created trust anchor and one or more IAM roles.\u003c/li\u003e\n\u003cli\u003eThe attacker generates a client certificate signed by their external CA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAssumeRoleWithCertificate\u003c/code\u003e API call, presenting the client certificate to assume the associated IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions within the AWS environment with the privileges of the assumed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access even after standard credential rotation by generating new certificates signed by their trusted CA.\u003c/li\u003e\n\u003cli\u003eThe final objective is often to maintain long-term access to AWS resources, potentially for data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent access to AWS environments from outside the AWS infrastructure. This can lead to unauthorized access to sensitive data, lateral movement within the AWS environment, and potentially complete compromise of the AWS account. This scenario can bypass standard AWS security controls and makes credential rotation ineffective. The number of victims is currently unknown, but any organization using AWS IAM Roles Anywhere is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS IAM Roles Anywhere Trust Anchor Created with External CA\u0026quot; to your SIEM to detect unauthorized trust anchor creations (rule).\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eCreateTrustAnchor\u003c/code\u003e events and validate the \u003ccode\u003esourceType\u003c/code\u003e to ensure only authorized CAs are used (log source).\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003erolesanywhere:CreateTrustAnchor\u003c/code\u003e permissions to only authorized security administrators (reference).\u003c/li\u003e\n\u003cli\u003eImplement AWS Config rules or Security Hub findings to detect anomalous IAM and Roles Anywhere behavior (reference).\u003c/li\u003e\n\u003cli\u003eRegularly review existing trust anchors and profiles in IAM Roles Anywhere to identify and remove any unauthorized configurations (reference).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T12:00:00Z","date_published":"2024-05-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-aws-roles-anywhere-trust-anchor-external-ca/","summary":"The creation of an AWS IAM Roles Anywhere Trust Anchor using an external Certificate Authority (CA) instead of an AWS-managed CA allows adversaries to establish persistent access by using their own CA to sign certificates for authentication.","title":"AWS IAM Roles Anywhere Trust Anchor Created with External CA","url":"https://feed.craftedsignal.io/briefs/2024-05-aws-roles-anywhere-trust-anchor-external-ca/"}],"language":"en","title":"CraftedSignal Threat Feed - Rolesanywhere","version":"https://jsonfeed.org/version/1.1"}