Skip to main content

AWS Roles Anywhere trust anchor created with an external CA

ID:aws_rolesanywhere_trust_external_ca
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0003:T1098.003

Description

AlphaSOC detected the creation of an AWS Roles Anywhere trust anchor that uses an external Certificate Authority (CA). This configuration enables AWS to accept certificates issued by an external CA for authentication purposes. While this can be a valid security setup, it may introduce potential security risks if misused.

Impact

An unauthorized trust anchor could severely compromise AWS environment security. If a malicious actor gains control of a trust anchor, they could generate fraudulent certificates and compromise authentication mechanisms, potentially leading to unauthorized access across AWS services.

Severity

SeverityCondition
Informational
Roles Anywhere trust anchor created with an external CA

Investigation and Remediation

Verify the legitimacy of the AWS Roles Anywhere trust anchor creation by identifying and confirming the responsible party. Assess the external CA's security controls and credibility. If the trust anchor was created without authorization, remove it immediately and revoke all associated credentials. Review AWS CloudTrail logs for any related suspicious activities.