AWS IAM API Calls via Temporary Session Tokens
editAWS IAM API Calls via Temporary Session Tokens
editDetects use of sensitive AWS STS or IAM API operations using temporary credentials (session tokens starting with ASIA). This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-aws.cloudtrail-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS CloudTrail
- Data Source: AWS IAM
- Data Source: AWS STS
- Tactic: Persistence
- Tactic: Privilege Escalation
- Resources: Investigation Guide
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating AWS IAM API Calls via Temporary Session Tokens
This rule detects sensitive IAM API operations performed using temporary AWS credentials (session tokens starting with ASIA). These are short-lived credentials commonly obtained via sts:GetSessionToken, sts:AssumeRole, or AWS SSO login. While temporary credentials are often used for development and automation, they are rarely associated with direct IAM manipulation and may indicate credential theft, privilege escalation, or abuse of developer access.
Possible investigation steps:
- Review aws.cloudtrail.user_identity.arn to determine which IAM user or assumed role initiated the request.
- Check aws.cloudtrail.user_identity.access_key_id to confirm if the credential starts with ASIA, indicating a temporary session token.
- Examine aws.cloudtrail.user_identity.session_context.mfa_authenticated to verify whether MFA was present during session creation.
- Investigate source.ip to assess whether the request originated from a known network, office IP, or corporate VPN.
- Look at user_agent.original to determine if the API call came from a known CLI version or unexpected tool (e.g., unknown SDK, custom script).
- Confirm whether a recent sts:GetSessionToken, sts:AssumeRole, or AWS SSO login event issued the temporary credential.
- Correlate other events using the same access key ID to identify additional privileged actions, such as iam:CreateAccessKey, iam:PutUserPolicy, or iam:EnableMFADevice.
- Analyze timing via @timestamp to determine if the action occurred during off-hours or deviates from normal user behavior.
- Review the event.outcome to check if the API call was successful or failed, which may indicate unauthorized access attempts.
- Check for related events in the same session, such as iam:CreateUser, iam:AttachUserPolicy, or sts:GetCallerIdentity, to identify potential lateral movement or privilege escalation.
False positive analysis:
- Determine if the IAM user or automation pipeline routinely performs privileged actions using temporary session tokens.
- Validate whether the MFA context and source IP match expected developer or CI/CD behavior.
- Review recent IAM policy changes or deployments that may explain the behavior.
- Confirm if the user has a legitimate reason to perform sensitive IAM operations with temporary credentials, such as during a deployment or maintenance window.
Response and remediation:
- Revoke the temporary session token and rotate long-term access keys for the associated user if the behavior is unauthorized.
- Audit related CloudTrail events within the same session to identify policy changes, resource creation, or lateral movement.
- Add explicit deny statements in IAM policies to prevent sensitive IAM actions when aws:authType is not "console".
- Implement IP restrictions for IAM and STS API actions using aws:SourceIp conditions.
- Strengthen monitoring for IAM activity initiated by session tokens with MFA to improve detection coverage.
Rule query
editevent.dataset: aws.cloudtrail
and event.provider: ("iam.amazonaws.com")
and aws.cloudtrail.user_identity.type: "IAMUser"
and aws.cloudtrail.user_identity.access_key_id: ASIA*
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/