curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity
blog/source/threat-hunting/aws-assumeroot-api-operatio...

16 lines
549 B
Markdown
Raw Blame History

---
title: AWS AssumeRoot API operation
layout: page
date: 2025-07-27
---
Description: Grant root-level privileges in a member account to a privileged user in the management account.
References: [1](https://www.elastic.co/security-labs/exploring-aws-sts-assumeroot)
SPL:
```spl
index="aws" sourcetype="aws:cloudtrail" eventSource="sts.amazonaws.com" eventName="AssumeRoot"
| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S %z")
| table Time, region, requestParameters.roleArn, sourceIPAddress, userAgent, userIdentity.invokedBy, userIdentity.type
```
Reference in New Issue View Git Blame Copy Permalink