LoFP / some ci/cd pipelines or administrative users may use session tokens. review user context, ip, and timing to validate. this rule automatically excludes console login sessions using the aws.cloudtrail.session_credential_from_console field, which significantly reduces false positives from legitimate console-based iam operations.

Techniques

• T1098

Sample rules

AWS IAM API Calls via Temporary Session Tokens

• source: elastic
• technicques:
  • T1098

Description

Detects sensitive AWS IAM API operations executed using temporary session credentials (access key IDs beginning with “ASIA”). Temporary credentials are commonly issued through sts:GetSessionToken, sts:AssumeRole, or AWS SSO logins and are meant for short-term use. It is unusual for legitimate users or automated processes to perform privileged IAM actions (e.g., creating users, updating policies, or enabling/disabling MFA) with session tokens. This behavior may indicate credential theft, session hijacking, or the abuse of a privileged role’s temporary credentials.

Detection logic

event.dataset: aws.cloudtrail
    and event.provider: ("iam.amazonaws.com")
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "IAMUser"
    and aws.cloudtrail.user_identity.access_key_id: ASIA*
    and source.ip: *
    and not user_agent.original : "AWS Internal"
    and not aws.cloudtrail.session_credential_from_console: true