LoFP / some ci/cd pipelines or administrative users may use session tokens. review user context, ip, and timing to validate. console login sessions result in temporary \"asia\" credentials and can typically be ignored for this alert. this can be verified in \"event.original\" as \"sessioncredentialfromconsole: true\"

Techniques

• T1098

Sample rules

AWS IAM API Calls via Temporary Session Tokens

• source: elastic
• technicques:
  • T1098

Description

Detects sensitive AWS IAM API operations executed using temporary session credentials (access key IDs beginning with “ASIA”). Temporary credentials are commonly issued through sts:GetSessionToken, sts:AssumeRole, or AWS SSO logins and are meant for short-term use. It is unusual for legitimate users or automated processes to perform privileged IAM actions (e.g., creating users, updating policies, or enabling/disabling MFA) with session tokens. This behavior may indicate credential theft, session hijacking, or the abuse of a privileged role’s temporary credentials.

Detection logic

event.dataset: aws.cloudtrail
    and event.provider: ("iam.amazonaws.com")
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "IAMUser"
    and aws.cloudtrail.user_identity.access_key_id: ASIA*
    and source.ip: *
    and not user_agent.original : "AWS Internal"