highly distributed environments (e.g., globally deployed automation or edge nodes) may cause a single iam user to appear from multiple ips. review the geolocation and automation context to rule out benign use.

Techniques

T1078

Sample rules

AWS STS Temporary IAM Session Token Used from Multiple Addresses

source: elastic
technicques:
- T1078

Description

This rule detects when a single IAM user’s temporary session token is used from multiple IP addresses within a short time frame. This behavior may indicate that an adversary has stolen temporary credentials and is using them from a different location.

Detection logic

from logs-aws.cloudtrail* metadata _id, _version, _index
| where

    // filter on CloudTrail logs for STS temporary session tokens used by IAM users
    event.dataset == "aws.cloudtrail"
    and aws.cloudtrail.user_identity.arn is not null
    and aws.cloudtrail.user_identity.type in ("IAMUser", "AssumedRole")
    and source.ip is not null

    // exclude known benign IaC tools and automation frameworks
    and not (
        user_agent.original LIKE "%Terraform%"
        or user_agent.original LIKE "%Ansible%"
        or user_agent.original LIKE "%Pulumni%"
    )

    // filter for ASIA in tokens, indicating temporary session tokens
    and starts_with(aws.cloudtrail.user_identity.access_key_id, "ASIA")

  // create a time window for aggregation
| eval time_window = DATE_TRUNC(30 minutes, @timestamp)
| keep source.ip, aws.cloudtrail.user_identity.arn

// aggregate unique source IPs per user within the time window
| stats source.ip.list = VALUES(source.ip), address_api_request_count = count_distinct(source.ip) by aws.cloudtrail.user_identity.arn

// filter for users with multiple unique source IPs in the time window
| where address_api_request_count >= 2