aws iam roles anywhere trust anchors are legitimate profiles that can be created by administrators to allow access from any location. ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized.

t1098
aws
elastic

Techniques

T1098

Sample rules

AWS IAM Roles Anywhere Trust Anchor Created with External CA

source: elastic
technicques:
- T1098

Description

Identifies when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule detects when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.

Detection logic

event.dataset: aws.cloudtrail
    and event.provider: rolesanywhere.amazonaws.com
    and event.action: CreateTrustAnchor
    and event.outcome: success
    and not aws.cloudtrail.request_parameters: *sourceType=AWS_ACM_PCA*