Skip to main content

This article provides some starting places to think about investigating issues in AWS. We use this list to help train our investigators.

What type of ARN is it?

An [ARN]( can be many things! It can mean a device, user, certificate, etc. Understand the format of the ARN.

What type of AWS principal?

Are you dealing with an AWS IAM user or a role? With an AWS IAM role, the AWS principal (user, resource, and so on) is taking on the permission context of the role. Whatever it has the rights to, after you assume it, it takes them on fully. You need to have rights to that role to assume it, most likely through policy. Remember that role credentials are temporary and user credentials are permanent.

What's the User-Agent?

Is the user accessing the AWS console (for example, vthrougha web-browser? Or is the user interacting with the API using a python library (for example, Boto3/1.9.22 Python/3.6.10 Linux/4.4.0-1100-aws Botocore/1.12.253)?


The User-Agent may be spoofed!

Does the account or the activity typically happen from the source IP address?

Review Ruxie login information. Does the account in question typically authenticate from the IP address in the alert? Is there additional authentication activity from the source IP address?

Has the IAM role performed this action before?

Does this IAM user typically perform these actions or assume these roles?

What other roles did the AWS account assume or try to assume?

Review AssumedRole activity. Are you seeing a number of failures?

Do you see a lot of failures to assume other roles?

Is the IAM user attempting to assume roles they don't have permissions to? This could be a sign of IAM credential theft.