highly unusual for legitimate workflows to embed or reference full administrator access in getfederationtoken session policies; if found, it is often legacy or misconfigured tooling. confirm with the owning team and replace with least-privilege session policies. tune only after documented approval.

t1548
t1550
aws
elastic

Techniques

T1548
T1550

Sample rules

AWS STS GetFederationToken with AdministratorAccess in Request

source: elastic
technicques:
- T1548
- T1550

Description

Identifies successful calls to AWS STS GetFederationToken where request parameters reference AdministratorAccess. This API returns temporary security credentials for a federated user with permissions bounded by the calling IAM user and any inline session policy passed in the request. Supplying or referencing the AWS managed AdministratorAccess policy (or an equivalent string in the policy payload) can grant broadly privileged temporary credentials and may indicate privilege abuse or dangerous automation.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "GetFederationToken"
    and event.outcome: "success"
    and aws.cloudtrail.request_parameters: *AdministratorAccess*