Skip to content

[Rule Tuning] AWS IAM Assume Role Policy Update #4799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] AWS IAM Assume Role Policy Update #4799

wants to merge 4 commits into from

Conversation

imays11
Copy link
Contributor

@imays11 imays11 commented Jun 13, 2025
edited
Loading

Pull Request

Issue link(s):

Summary - What I changed

Roles are identities in AWS that are granted a set of permissions and can then be assumed by various users across many different sessions. Each of these sessions is given a session name which is attached to the end of the role's aws.cloudtrail.user_identity.arn. This means that each time a Role is assumed, there is a unique aws.cloudtrail.user_identity.arn created.

This rule is meant to capture new instances of the Role updating role policies. Right now it's analyzing each session used with the Role, resulting in false positives. To capture the role itself we can use the user.name field. cloud.account.id has been added to the new_terms fields to account for organizations with multiple AWS account ids, which may reuse certain user.names across accounts.

  • changed time window to have only 1 minute lookback
  • changed the new terms field to look at combination of cloud.account.id, user.name, and roleName. (This is to account for the problem with using aws.cloudtrail.user_identity.arn for AssumedRoles.)
  • added investigation fields
  • updated mitre techniques

This will improve performance and detection accuracy especially in environments where there are many users assuming the same role and updating it's trust policy as a part of normal operations.

How To Test

You can use this script to test this rule against both IAM user and Assumed Role Identity types.

For manual testing use an existing user or role to update a new policy (to trigger new_terms combination)

aws iam update-assume-role-policy \
    --role-name Test-Role \
    --policy-document file://Test-Role-Trust-Policy.json
Screenshot 2025-06-13 at 12 55 32 AM

@imays11
[Rule Tuning] AWS IAM Assume Role Policy Update
3bba6b6 
- changed time window to have only 1 minute lookback
- changed the new terms field to look at combination of cloud.account.id, user.name, and roleName. This is to account for the problem with using user_identity.arn for AssumedRoles. Roles are identities in AWS that are granted a set of permissions and can then be assumed by various users across many different sessions. Each of these sessions is designated a session name which is attached to the `user_identity.arn`. This means that each time a Role is assumed, there is a unique user_identity.arn created. This rule is meant to capture unique instances of the Role itself which is captured separate from the individual session names in the `user.name` field. `cloud.account.id` has been added to the new_terms fields to account for organizations with multiple AWS account ids, which may reuse certain user.names across accounts.

This may improve performance especially in environments where there are many users assuming the same role and updating it's trust policy as a part of normal operations.
@imays11 imays11 self-assigned this Jun 13, 2025
@imays11 imays11 added Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE Domain: Cloud labels Jun 13, 2025
@github-actions GitHub Actions
Copy link
Contributor

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

Aegrah
Aegrah approved these changes Jun 13, 2025
View reviewed changes
Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@terrancedejesus
Copy link
Contributor

@imays11 - It looks like the session ID persists in user.name if it's an assumed role, from what I can tell. Does user.id make more sense? It captures the principal ID and the name of the principal, but does not include the session ID. Regarding cloud.account.id, this is valid if we are concerned with isolating these signals to a single tenant if multi-tenancy is setup. If not, I don't think it would be worth the extra performance.

@imays11
Copy link
Contributor Author

imays11 commented Jun 16, 2025

@terrancedejesus If you look below, session names are persisted in user.id but only the role name itself persists in user.name. If you also look at that session.id field at the end of the image, you can see that it also only shows the role name but this field is only included for AssumedRoles.
Screenshot 2025-06-16 at 11 53 37 AM

Regarding cloud.account.id, this is valid if we are concerned with isolating these signals to a single tenant if multi-tenancy is setup.

Yes we want to isolate this to each individual user, for organizations ingesting cloudtrail logs for multiple accounts we need to distinguish between the same user names across accounts so that's why I included the cloud.account.id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aegrah Aegrah Aegrah approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

At least 2 approving reviews are required to merge this pull request.

Assignees

@imays11 imays11

Labels
backport: auto Domain: Cloud Integration: AWS AWS related rules Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@imays11 @terrancedejesus @Aegrah