AWS STS GetFederationToken with AdministratorAccess in Request

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS STS GetFederationToken with AdministratorAccess in Request

Identifies successful calls to AWS STS GetFederationToken where request parameters reference AdministratorAccess. This API returns temporary security credentials for a federated user with permissions bounded by the calling IAM user and any inline session policy passed in the request. Supplying or referencing the AWS managed AdministratorAccess policy (or an equivalent string in the policy payload) can grant broadly privileged temporary credentials and may indicate privilege abuse or dangerous automation.

Rule type: query

Rule indices:

filebeat-*
logs-aws.cloudtrail-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Domain: Identity
Data Source: AWS
Data Source: Amazon Web Services
Data Source: AWS STS
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Lateral Movement
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS STS GetFederationToken with AdministratorAccess in Request

GetFederationToken issues temporary credentials (typically up to 36 hours) for a federated user name you specify. The effective permissions are the intersection of the IAM user’s permissions and the optional session policy in the request. Including AdministratorAccess in Policy (or a policy ARN / JSON that names it) is almost always over-privileged for federation use cases. For first-time GetFederationToken usage without this policy signal, see AWS First Occurrence of STS GetFederationToken Request by User.

Note: AWS documents that GetFederationToken must be called with long-term IAM user credentials (not role temporary credentials). Pivot on aws.cloudtrail.user_identity.arn and access_key_id accordingly.

Possible investigation steps

Parse aws.cloudtrail.request_parameters for name, policy, and durationSeconds.
Confirm whether the IAM user should perform federation or if the key may be compromised.
Search CloudTrail for subsequent events using response_elements.credentials.accessKeyId from the same response (if logged).
Correlate with IAM changes, data-plane access, or other STS calls from the same source.ip in a ±30 minute window.

False positive analysis

Typos or test accounts in non-production: still validate and narrow session policies.

Response and remediation

Revoke or rotate the IAM user access keys involved; enforce least privilege on the user and replace broad session policies.
GetFederationToken

Additional information

AWS STS temporary security credentials

Rule query

edit

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "GetFederationToken"
    and event.outcome: "success"
    and aws.cloudtrail.request_parameters: *AdministratorAccess*

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Abuse Elevation Control Mechanism
- ID: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Sub-technique:
- Name: Temporary Elevated Cloud Access
- ID: T1548.005
- Reference URL: https://attack.mitre.org/techniques/T1548/005/
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub-technique:
- Name: Application Access Token
- ID: T1550.001
- Reference URL: https://attack.mitre.org/techniques/T1550/001/

« AWS KMS Key Policy Updated via PutKeyPolicy Kubernetes Rapid Secret GET Activity Against Multiple Objects »