AWS Sign-In Token Created

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS Sign-In Token Created

edit

Captures requests to the AWS federation endpoint (signin.amazonaws.com) for GetSigninToken. This API exchanges existing temporary AWS credentials (e.g., from STS GetFederationToken or AssumeRole) for a short-lived sign-in token that is embedded in a one-click URL to the AWS Management Console. It is commonly used by custom federation tools and automation to pivot from programmatic access to a browser session. This is a building block rule meant to be used for correlation with other rules to detect suspicious activity.

Rule type: query

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/

Tags:

Domain: Cloud
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS Sign-In
Use Case: Identity and Access Audit
Tactic: Initial Access
Rule Type: BBR

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.dataset: "aws.cloudtrail" and
    event.provider: "signin.amazonaws.com" and
    event.action : "GetSigninToken" and
    event.outcome: "success"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/

« AWS Sign-In Root Password Recovery Requested AWS Systems Manager SecureString Parameter Request with Decryption Flag »