Multiple denied AWS assume role API calls requiring investigation
Description
AlphaSOC detected 10 or more denied AWS assume role API calls for different
roles within 15 minutes, involving actions such as AssumeRole,
AssumeRoleWithSAML, or AssumeRoleWithWebIdentity. These API calls allow an
entity (IAM user, AWS service, or application) to assume an AWS IAM role and
potentially escalate privileges.
Impact
A high volume of denied attempts to assume a role may indicate an ongoing compromise, where an adversary has already gained initial access to the AWS environment and is trying to exploit misconfigured AWS IAM policies. If successful, it could lead to unauthorized access to sensitive AWS resources, potentially allowing unauthorized users to view, modify, or delete sensitive data, launch new resources, or misuse AWS services for malicious purposes.
Severity
| Severity | Condition |
|---|---|
Medium | Multiple denied AWS assume role API calls requiring investigation |
Investigation and Remediation
Review AWS CloudTrail logs to identify the source of the denied API calls, including IP addresses, user agents, AWS regions, and any associated users or role identities. Verify whether the attempts were authorized. If unauthorized, rotate potentially compromised credentials and review AWS IAM policies and role configurations to ensure they adhere to the principle of least privilege.