Detect Unauthorized Third Parties in Your AWS Account | Datadog

Detect unauthorized third parties in your AWS account

Author Justin Massey
Author Jonathan Epstein

Published: April 21, 2021

Detecting when an unauthorized third party is accessing your AWS account is critical to ensuring your account remains secure. For example, an attacker may have gained access to your environment and created a backdoor to maintain persistence within your environment. Another common (and more frequent) type of unauthorized access can happen when a developer sets up a third-party tool and grants it access to your account to monitor your infrastructure for operations or optimize your bill. In AWS environments, this access can be especially hard to track due to the permission model of assumed roles.

In this blog post, we’ll look at how you can use Datadog Cloud SIEM to automatically detect when a user assumes a role so you can determine whether the role change is legitimate or the work of an unauthorized third party. This way, you can address the threat before it can propagate further and become a serious issue.

A brief summary of assumed roles

AWS’s assumed role model allows you to assign granular permissions to third parties without relinquishing control over the management of those permissions. In the standard model, an account administrator creates IAM roles that provide access to a particular set of cloud resources or API operations. Access to those roles can then be individually delegated to, and assumed by, AWS identities such as IAM users or other AWS accounts—including external third-party accounts like Datadog. These users and accounts themselves might not have any explicit permissions attached to them and thus must use a delegated role in order to interact with the AWS environment.

In the following example CloudTrail log you can see account 11111111111 assuming a role into another AWS account (accountId: 222222222222).

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AWSAccount",
        "principalId": "AIDA6CVLNXUS3POIDMGBK",
        "accountId": "111111111111"
    },
    "eventTime": "2021-04-21T10:00:00Z",
    "eventSource": "sts.amazonaws.com",
    "eventName": "AssumeRole",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "1.2.3.4",
    "userAgent": "Boto3/1.17.37 Python/3.7.10 Linux/4.14.198-152.320.amzn2.x86_64 Botocore/1.20.37",
    "requestParameters": {
        "roleArn": "arn:aws:iam::222222222222:role/ExampleRole",
        "roleSessionName": "ExampleRoleSession",
        "externalId": "0d56ab6c-c65b-4c96-bac4-334bd47d2874",
        "durationSeconds": 3600
    },
    "responseElements": {
        "credentials": {
            "accessKeyId": "ASIAZZZZZZZZZZZZZZZZ",
            "expiration": "Apr 21, 2021 5:00:00 PM",
            "sessionToken": "REDACTED"
        },
        "assumedRoleUser": {
            "assumedRoleId": "AROAYYYYYYYYYYYYYYYY:ExampleRoleSession",
            "arn": "arn:aws:sts::222222222222:assumed-role/ExampleRole/ExampleRoleSession"
        }
    },
    "requestID": "68d01b76-f24d-4fd0-92f7-460d2b7584b9",
    "eventID": "307a24d5-95a0-4456-b590-b228ee827c96",
    "readOnly": true,
    "resources": [
        {
            "accountId": "222222222222",
            "type": "AWS::IAM::Role",
            "ARN": "arn:aws:iam::222222222222:role/ExampleRole"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management",
    "recipientAccountId": "222222222222",
    "sharedEventID": "2dea753f-8cb3-4db3-9ede-c9f7cc78e683",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-SHA",
        "clientProvidedHostHeader": "sts.us-east-1.amazonaws.com"
    }
}

Use Datadog to detect new AssumeRole accounts

Tracking the activity of users who assume roles is an important part of monitoring the security of your AWS environment. But users and third-party services assume roles so frequently it can be difficult to spot the events that actually represent a threat. To help with this, Datadog’s new term detection method analyzes all of your logs over a chosen period of time and treats that historical data as the baseline of expected environmental behavior. Then, Datadog generates a Security Signal whenever it ingests a log that contains anomalous attribute data of the chosen type.

So, if you want to get alerted whenever an unfamiliar AWS account assumes a role in your environment for the first time, you can use Datadog’s default rule or set up a new term–based rule that looks for all AWS accounts (userIdentity.accountId) that use the AssumeRole operation in your account and monitors for any unfamiliar ones. If you choose a seven-day period (as shown in the screenshot below), Datadog will analyze your logs over the next seven days to learn which accounts are making these calls and use this data as a baseline. Datadog can then detect and automatically alert your teams whenever an unfamiliar account assumes a role into your environment.

You can create Detection Rules that use the new term detection method to detect novel activity in your environment, such as an unauthorized third party attempting to access your AWS resources.

When an AssumeRole event from an unrecognized account triggers this rule, Datadog will automatically generate a Security Signal, which your security team can use to investigate the user behind the request, determine whether they’re authorized to use the role, and, if not, take the appropriate actions to lock them out.

Keep it secure

Delegating access permissions through IAM roles is an effective way to manage user authorization in AWS, but it can also make spotting unauthorized activity a challenge. New term-based Security Rules help you stay on top of unexpected activity in your cloud environments—and they’re just one of the many tools in Datadog’s Cloud SIEM suite. For more security tips from Datadog, check out our Cloud SIEM documentation. Or, if you’re not already a Datadog customer, get started today with a .