some ci/cd pipelines or administrative users may use session tokens. review user context, ip, and timing to validate.

t1098
aws
elastic

Techniques

T1098

Sample rules

AWS IAM API Calls via Temporary Session Tokens

source: elastic
technicques:
- T1098

Description

Detects use of sensitive AWS STS or IAM API operations using temporary credentials (session tokens starting with ‘ASIA’). This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.

Detection logic

event.dataset: aws.cloudtrail
    and event.provider: ("iam.amazonaws.com")
    and aws.cloudtrail.user_identity.type: "IAMUser"
    and aws.cloudtrail.user_identity.access_key_id: ASIA*