AWS STS Temporary IAM Session Token Used from Multiple Addresses
editAWS STS Temporary IAM Session Token Used from Multiple Addresses
editThis rule detects when a single IAM user’s temporary session token is used from multiple IP addresses within a short time frame. This behavior may indicate that an adversary has stolen temporary credentials and is using them from a different location.
Rule type: esql
Rule indices: None
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-30m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS IAM
- Data Source: AWS CloudTrail
- Tactic: Initial Access
- Use Case: Identity and Access Audit
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and Analysis
Investigating AWS STS Temporary IAM Session Token Used from Multiple Addresses
Temporary session tokens (typically starting with ASIA) are expected to be short-lived and bound to a single user session. Usage from multiple IP addresses may indicate the token was stolen and used elsewhere.
Possible Investigation Steps
-
Identify the IAM User: Examine
aws.cloudtrail.user_identity.arnand correlate withsource.ipto determine how widely the token was used. - Check Recent MFA Events: Determine whether the user recently enabled MFA, registered devices, or assumed a role using this token.
- Review Workload Context: Confirm whether the user was expected to be active in multiple regions or environments.
-
Trace Adversary Movement: Pivot to related actions (e.g.,
s3:ListBuckets,iam:ListUsers,sts:GetCallerIdentity) to track further enumeration.
False Positive Analysis
- Automation frameworks that rotate through multiple IPs or cloud functions with dynamic egress IPs may cause this alert to fire.
- Confirm geolocation and workload context before escalating.
Response and Remediation
- Revoke the Token: Disable or rotate the IAM credentials and invalidate the temporary session token.
- Audit the Environment: Look for signs of lateral movement or data access during the token’s validity.
- Strengthen Controls: Require MFA for high-privilege actions, restrict access via policy conditions (e.g., IP range or device).
References
Rule query
editfrom logs-aws.cloudtrail* metadata _id, _version, _index
| where
// filter on CloudTrail logs for STS temporary session tokens used by IAM users
event.dataset == "aws.cloudtrail"
and aws.cloudtrail.user_identity.arn is not null
and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")
and source.ip is not null
// exclude known benign IaC tools and automation frameworks
and not (
user_agent.original LIKE "%Terraform%"
or user_agent.original LIKE "%Ansible%"
or user_agent.original LIKE "%Pulumni%"
)
// filter for ASIA in tokens, indicating temporary session tokens
and starts_with(aws.cloudtrail.user_identity.access_key_id, "ASIA")
// create a time window for aggregation
| eval time_window = DATE_TRUNC(30 minutes, @timestamp)
| keep source.ip, aws.cloudtrail.user_identity.arn
// aggregate unique source IPs per user within the time window
| stats source.ip.list = VALUES(source.ip), address_api_request_count = count_distinct(source.ip) by aws.cloudtrail.user_identity.arn
// filter for users with multiple unique source IPs in the time window
| where address_api_request_count >= 2
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/