|
Valid Accounts: IAM Users
AWS Specific Sub-Technique
Other sub-techniques of Valid Accounts (4)
| ID | Name |
|---|---|
| T1078.A002 | Account Root User |
| T1078.A001 | IAM Users |
AWS Specific Content
A prerequisite for this technique is that a threat actor has already gained control of an AWS IAM user.
This technique identifies when a threat actor uses an IAM user to perform unauthorized actions through either long-term credentials or through the AWS Management Console. An IAM user is an entity that you create in your AWS account. The IAM user represents the human user or workload who uses the IAM user to interact with AWS resources. An IAM user consists of a name and credentials.
An IAM user with administrator permissions is not the same as the AWS account root user. For more information about the root user, see AWS account root user
Detection
AWS Specific Content
Amazon GuardDuty has detections and finding types for when the credentials of an IAM user are used to perform suspicious actions. An example of this is when an API is invoked from a known malicious IP address.
When the credentials of an IAM user are utilized, actions for which they are used are logged in AWS CloudTrail. For each event logged in CloudTrail for the IAM user, the ARN (Amazon Resource Name) may look like the following example:
arn:aws:iam::111111111111:user/RichardThe User Guide for IAM users provides additional information on how IAM users are presented.
Mitigation
AWS Specific Content
Where possible, we recommend relying on temporary credentials instead of creating long-term credentials such as access keys. The security best practices in IAM will also help to mitigate the compromise and unauthorized use of IAM user credentials by threat actors. Requiring the use of multi-factor authentication (MFA), rotating and updating access keys when needed, and applying least-privilege permissions to IAM users can also be beneficial for mitigation.
The following Service Control Policy can be used to limit the IP addresses that IAM users can make requests from to a trusted range. This helps prevent access key use by unauthorized parties from unexpected IP addresses:
{
"Version": "2012-10-17",
"Statement": {
"Sid": "RestrictIAMBySourceIp",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
},
"BoolIfExists": {
"aws:ViaAWSService": "false"
},
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:user/*"
}
}
}
}
While the SCP above can be used to restrict the use of IAM user credentials to trusted IP networks, a similar restriction can be applied to IAM roles using the SCP available here.
You can use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.