detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Rule Tuning] AWS IAM Brute Force of Assume Role Policy

Open imays11 opened this issue 3 months ago • 1 comments

Pull Request

Issue link(s):

  • https://github.com/elastic/ia-trade-team/issues/616

Update 11.25

I've added some group by fields for the threshold.value parameter [cloud.account.id, user.name, source.ip]. This reduces impact from a known bug <= 8.19.6 and provides some additional context for alert triage. Below is a screenshot of the triggered alert before and after the field changes. Same script is ran and produces an alert.

Screenshot 2025-11-25 at 3 32 43 PM

Summary - What I changed

Description and primary tactic for this rule is a bit misleading. The rule captures an IAM principal enumeration technique used by tools like PACU, it does not capture AssumeRole brute-force attempts. I've changed the primary tactic to Discover, changed the rule name and updated the rule description and Investigation Guide to more clearly reflect what behavior is being captured.

The query itself remains the same and the threshold values. I changed the execution window to the standard 5 min + 1 min lookback and was still able to capture the behavior.

The TARGET BEHAVIOR

  • You control IAM in Account A.
  • You have a role in Account A and you keep calling:
UpdateAssumeRolePolicy(
  RoleName = "enum-role",
  PolicyDocument = {
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Deny",
      "Principal": { "AWS": "arn:aws:iam::<TARGET_ACCT>:role/<guess>" },
      "Action": "sts:AssumeRole"
    }]
  }
)
  • If the Principal ARN is valid and refers to something that can be a principal, the update can succeed.
  • If it’s invalid / non-existent, IAM throws MalformedPolicyDocumentException / “invalid principal in policy”.

That’s what this rule is seeing: lots of failed UpdateAssumeRolePolicy calls with bad principals. Stemming from within your account. This activity could be targeting an external account as a form of role enumeration.

Reference: PACU iam_enum_roles Module

How To Test

Test data in the stack to run the query against The existing rule has been updated with the execution window change Script for triggering the rule: trigger_discovery_iam_principal_enumeration_via_update_assume_role_policy.py

Screenshot of Alerting Rule and Triggering Events

Screenshot 2025-11-04 at 3 14 56 PM Screenshot 2025-11-04 at 3 13 51 PM

imays11 avatar Nov 04 '25 22:11 imays11