<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rolesanywhere - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/rolesanywhere/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 May 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/rolesanywhere/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS IAM Roles Anywhere Profile Creation</title><link>https://feed.craftedsignal.io/briefs/2024-05-aws-iam-roles-anywhere-profile-creation/</link><pubDate>Wed, 08 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-aws-iam-roles-anywhere-profile-creation/</guid><description>Detection of AWS IAM Roles Anywhere profile creation, potentially indicating an adversary establishing persistence or escalating privileges through rogue trust anchors to gain long-term external access.</description><content:encoded><![CDATA[<p>AWS IAM Roles Anywhere enables external workloads to assume IAM roles securely, using certificates from trusted anchors. A profile links IAM roles to trust anchors and defines session duration. This detection identifies the &quot;CreateProfile&quot; API call, which adversaries may use to create or modify profiles, linking them with highly privileged roles or unauthorized trust anchors. This allows for long-term external access to the AWS environment. The rule focuses on successful 'CreateProfile' API calls. It is important to monitor profile creation to ensure that only approved roles and trust anchors are in use. This activity can lead to persistence and privilege escalation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The adversary compromises an external system or obtains unauthorized access to a trusted certificate authority.</li>
<li>The adversary establishes a rogue trust anchor within AWS IAM Roles Anywhere, representing the compromised CA or external system.</li>
<li>The attacker leverages the <code>CreateProfile</code> API call to create a new IAM Roles Anywhere profile.</li>
<li>The profile is configured to associate the rogue trust anchor with one or more IAM roles. The <code>roleArns</code> parameter within the <code>request_parameters</code> should be closely monitored for excessive permissions.</li>
<li>The adversary sets a long <code>durationSeconds</code> for the profile, maximizing the window of opportunity for assuming roles.</li>
<li>The attacker uses the <code>AssumeRoleWithCertificate</code> API call, presenting a valid certificate issued by the compromised CA, to assume an IAM role associated with the newly created profile.</li>
<li>The assumed role is then used to perform unauthorized actions within the AWS environment, such as accessing sensitive data, modifying infrastructure, or deploying malicious code.</li>
<li>The adversary maintains persistent access to the AWS environment through the compromised trust anchor and associated profile, enabling long-term control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can grant unauthorized external access to the AWS environment. This may lead to data breaches, service disruption, or the deployment of malicious infrastructure. While the source provides no specific numbers, the impact depends on the privileges associated with the assumed roles and the extent of the adversary's lateral movement within the AWS environment. Compromised Roles Anywhere profiles can provide persistent access, making detection and remediation critical.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>AWS IAM Roles Anywhere Profile Creation</code> to your SIEM and tune for your environment to detect unauthorized profile creation events.</li>
<li>Restrict <code>rolesanywhere:CreateProfile</code> API calls to a small set of administrative roles within your AWS environment to prevent unauthorized profile creation.</li>
<li>Implement AWS Config or Security Hub controls to alert on unauthorized or overly permissive Roles Anywhere profiles, as mentioned in the overview section.</li>
<li>Review IAM role trust policies linked to external anchors, ensuring adherence to the principle of least privilege to minimize the impact of compromised profiles.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>rolesanywhere</category><category>persistence</category><category>privilege-escalation</category></item><item><title>AWS IAM Roles Anywhere Trust Anchor Created with External CA</title><link>https://feed.craftedsignal.io/briefs/2024-05-aws-roles-anywhere-trust-anchor-external-ca/</link><pubDate>Thu, 02 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-aws-roles-anywhere-trust-anchor-external-ca/</guid><description>The creation of an AWS IAM Roles Anywhere Trust Anchor using an external Certificate Authority (CA) instead of an AWS-managed CA allows adversaries to establish persistent access by using their own CA to sign certificates for authentication.</description><content:encoded><![CDATA[<p>AWS IAM Roles Anywhere allows workloads outside AWS to assume IAM roles by presenting X.509 certificates. A trust anchor defines which certificate authority (CA) AWS trusts to validate these external identities. This rule detects when a trust anchor is created using an external CA (<code>sourceType= &quot;CERTIFICATE_BUNDLE&quot; or &quot;SELF_SIGNED_REPOSITORY&quot;</code>) rather than an ACM-managed CA (<code>sourceType=&quot;AWS_ACM_PCA&quot;</code>). An adversary establishing persistent external access can exploit this by authenticating using certificates signed by their own CA, even after key rotation. This activity is logged by CloudTrail, and this rule focuses on detecting the <code>CreateTrustAnchor</code> event with a non-AWS CA source type, potentially indicating unauthorized federation attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to an AWS account with sufficient privileges to manage IAM Roles Anywhere.</li>
<li>The attacker uses the <code>CreateTrustAnchor</code> API to register an external CA as a trusted root for Roles Anywhere. This involves setting the <code>sourceType</code> to <code>CERTIFICATE_BUNDLE</code> or <code>SELF_SIGNED_REPOSITORY</code> instead of <code>AWS_ACM_PCA</code>.</li>
<li>The attacker creates an IAM Roles Anywhere profile, associating it with the newly created trust anchor and one or more IAM roles.</li>
<li>The attacker generates a client certificate signed by their external CA.</li>
<li>The attacker uses the <code>AssumeRoleWithCertificate</code> API call, presenting the client certificate to assume the associated IAM role.</li>
<li>The attacker can now perform actions within the AWS environment with the privileges of the assumed IAM role.</li>
<li>The attacker maintains persistent access even after standard credential rotation by generating new certificates signed by their trusted CA.</li>
<li>The final objective is often to maintain long-term access to AWS resources, potentially for data exfiltration, lateral movement, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to establish persistent access to AWS environments from outside the AWS infrastructure. This can lead to unauthorized access to sensitive data, lateral movement within the AWS environment, and potentially complete compromise of the AWS account. This scenario can bypass standard AWS security controls and makes credential rotation ineffective. The number of victims is currently unknown, but any organization using AWS IAM Roles Anywhere is potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;AWS IAM Roles Anywhere Trust Anchor Created with External CA&quot; to your SIEM to detect unauthorized trust anchor creations (rule).</li>
<li>Monitor AWS CloudTrail logs for <code>CreateTrustAnchor</code> events and validate the <code>sourceType</code> to ensure only authorized CAs are used (log source).</li>
<li>Restrict <code>rolesanywhere:CreateTrustAnchor</code> permissions to only authorized security administrators (reference).</li>
<li>Implement AWS Config rules or Security Hub findings to detect anomalous IAM and Roles Anywhere behavior (reference).</li>
<li>Regularly review existing trust anchors and profiles in IAM Roles Anywhere to identify and remove any unauthorized configurations (reference).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>aws</category><category>iam</category><category>rolesanywhere</category><category>persistence</category></item></channel></rss>