LoFP / aws iam roles anywhere trust anchors are legitimate profiles that can be created by administrators to allow access from any location. ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized.

Techniques

• T1098

Sample rules

AWS IAM Roles Anywhere Trust Anchor Created with External CA

• source: elastic
• technicques:
  • T1098

Description

Detects the creation of an AWS IAM Roles Anywhere Trust Anchor that uses an external certificate authority (CA) rather than an AWS-managed Certificate Manager Private CA (ACM PCA). While Roles Anywhere enables secure, short-term credential issuance for workloads outside AWS, adversaries can exploit this feature by registering their own external CA as a trusted root. This allows them to generate valid client certificates that persistently authenticate to AWS roles from any location, even after key rotation or credential revocation events. This rule helps detect persistence or unauthorized federation attempts by flagging trust anchors configured with non-AWS CAs.

Detection logic

info where event.dataset == "aws.cloudtrail"
  and event.provider == "rolesanywhere.amazonaws.com"
  and event.action == "CreateTrustAnchor"
  and event.outcome == "success"
  and not stringContains(aws.cloudtrail.request_parameters, "sourceType=AWS_ACM_PCA")