blog/source/threat-hunting/aws-assumeroot-api-operation.md

title	layout	date
AWS AssumeRoot API operation	page	2025-07-27

Description: Grant root-level privileges in a member account to a privileged user in the management account. References: 1 SPL:

index="aws" sourcetype="aws:cloudtrail" eventSource="sts.amazonaws.com" eventName="AssumeRoot"
| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S %z")
| table Time, region, requestParameters.roleArn, sourceIPAddress, userAgent, userIdentity.invokedBy, userIdentity.type