You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and
11
-
could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role
12
-
could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a
13
-
role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for
14
-
assumed role sessions started by an EC2 instance.
10
+
Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance.
15
11
"""
16
-
false_positives = [
17
-
"""
18
-
Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure
19
-
validity of the triggered event and include exceptions where necessary.
20
-
""",
21
-
]
22
-
from = "now-9m"
23
-
language = "esql"
12
+
false_positives = ["Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary."]
13
+
from = "now-6m"
14
+
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
15
+
language = "eql"
24
16
license = "Elastic License v2"
25
17
name = "AWS EC2 Instance Interaction with IAM Service"
26
-
note = """## Triage and Analysis
27
-
28
-
### Investigating AWS EC2 Instance Interaction with IAM Service via Assumed Role
29
-
30
-
This detection rule identifies instances where an EC2 instance interacts with AWS IAM services through an assumed role. This type of activity is unusual and may indicate that an attacker is attempting to further exploit the environment using compromised EC2 instance credentials. Potentially, an attacker could use this access to escalate privileges or create new users and roles for persistence.
31
-
32
-
#### Possible Investigation Steps
33
-
34
-
- **Examine the Assumed Role and Initiating Instance**:
35
-
- **Role and Instance**: Check the `aws.cloudtrail.user_identity.arn` field to identify the specific EC2 instance and role involved in this activity (e.g., `arn:aws:sts::[account-id]:assumed-role/[role-name]/[instance-id]`).
36
-
- **Session Context**: Review the `aws.cloudtrail.user_identity.session_context` for details about the session creation and `mfa_authenticated` status, if available.
37
-
38
-
- **Identify the Action Performed**:
39
-
- **API Call**: Inspect `event.action` for the specific IAM API operation performed (e.g., `ListRoles`, `CreateUser`). This can provide insights into the level of permissions the instance is attempting to access.
40
-
- **Analyze Permissions**: Evaluate if the IAM role allows actions that the EC2 instance wouldn’t typically need. Roles with broad IAM permissions could indicate an overprivileged role or an attempt to escalate permissions.
41
-
42
-
- **Verify the Source of the Activity**:
43
-
- **Source IP and Location**: Check `source.ip` and `source.geo` fields to verify the origin of the request. Unusual locations could indicate unauthorized access.
44
-
- **User Agent**: Review `user_agent.original` to determine the tooling used. Expected values may include AWS CLI or SDKs, while unexpected user agents might point toward unusual or malicious usage.
45
-
46
-
- **Determine the Intent and Frequency of Similar Events**:
47
-
- **Previous Events**: Review CloudTrail logs to see if this EC2 instance or role has a history of interacting with IAM services, which may establish a baseline of normal or unusual behavior.
48
-
- **Multiple Actions**: Investigate if other IAM-related actions, such as `CreateUser` or `AttachRolePolicy`, have been called from this EC2 instance recently, indicating an attempt to escalate privileges or establish persistence.
49
-
50
-
### False Positive Analysis
51
-
52
-
- **Automation and Maintenance Tasks**: Some automation or administrative workflows might use EC2 instances to interact with IAM services. Verify if this event aligns with legitimate automation processes and consider excluding known workflows to reduce false positives.
53
-
- **Expected Patterns**: For environments with automation, verify if EC2 instances routinely assume roles to perform IAM-related tasks, and if so, document these patterns for future reference.
54
-
55
-
### Response and Remediation
56
-
57
-
- **Access Review**: If unauthorized access is suspected, review and limit the EC2 instance's IAM permissions, especially roles allowing IAM-related actions.
58
-
- **Role Management**: Confirm the role’s permissions align with its intended purpose and remove any overly permissive policies that may allow privilege escalation or persistence.
59
-
- **Alerting and Monitoring**: Consider setting up real-time alerts for similar IAM actions by EC2 instances, especially actions that involve privilege escalation or persistence techniques.
60
-
- **Policy Update**: Apply least privilege principles for IAM roles associated with EC2 instances to minimize potential exploitation risks.
61
-
62
-
### Additional Information
63
-
64
-
Refer to the [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and AWS best practices for IAM role usage to further understand secure role configurations.
0 commit comments