traffic may leave the cluster via corporate proxies, vpns, or non-aws nat providers that populate a non-amazon asn organization name while still being legitimate. aws ip ranges are also labeled with other organization strings (for example `amazon-02`); this rule only excludes `amazon.com, inc.` per the match condition—tune with additional approved asns, cidrs, or known automation identities if needed.

t1078
aws
elastic

Techniques

T1078

Sample rules

AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN

source: elastic
technicques:
- T1078

Description

Detects successful AssumeRoleWithWebIdentity where the caller identity is a Kubernetes service account and the source autonomous system organization is present but not Amazon.com, Inc. EKS workloads that obtain IAM credentials via IAM Roles for Service Accounts (IRSA) normally reach STS from AWS-managed or AWS-associated networks; the same identity from a clearly external ASN can indicate a stolen or misused projected service-account token being exchanged for IAM credentials off-cluster.

Detection logic

data_stream.dataset:aws.cloudtrail and 
 event.provider:sts.amazonaws.com and 
 event.action:AssumeRoleWithWebIdentity and 
 event.outcome:success and user.name:system\:serviceaccount\:* and 
 source.as.organization.name:(* and not (Amazon* or AMAZON*))