Suspicious AWS API calls indicating STS discovery
Description
AlphaSOC detected unexpected API calls indicating Security Token Service (STS) discovery activity. AWS STS is a web service that allows users to request temporary, limited-privilege credentials for accounts. This finding may indicate that a threat actor is attempting to gather information about temporary security credentials in the AWS environment. Actions initiated by AWS services are exempt from the detection to avoid false positives.
Impact
The discovery of STS-related information could enable attackers to understand how temporary credentials are being used within the environment, potentially leading to credential theft or abuse. If successful, adversaries might leverage this intelligence to impersonate legitimate users or services by obtaining temporary credentials, effectively bypassing traditional access controls. This could result in unauthorized access to sensitive AWS resources, data exfiltration, or lateral movement across the environment. Furthermore, knowledge of STS implementation details could help attackers identify misconfigurations or overly permissive policies that could be exploited in subsequent attacks. The compromise of temporary credentials is particularly concerning as it may go undetected longer than permanent credential theft due to their transient nature.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the source of the STS discovery calls. Review AWS CloudTrail logs to identify the specific API calls made and the IAM user or role responsible. Verify if the activity is authorized. If unauthorized, revoke any compromised credentials immediately and rotate affected access keys.