AWS STS AssumeRole and Temporary Credential Events
Cloud & SaaSAuthentication & AccessAWSAWS STSCloudTrailCloud Control PlaneSIEM / Log Aggregator
Location
CloudTrail management events for sts.amazonaws.com and AssumeRole / federation API callsDescription
CloudTrail records for AWS Security Token Service activity such as AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, and GetFederationToken. These events show temporary-credential issuance across accounts, identities, and workloads.
Forensic Value
STS events explain how an attacker moved between AWS identities without long-lived keys. They reveal the source principal, the target role, cross-account pivots, web identity federation abuse, and short-lived sessions created from compromised workloads. Correlating STS issuance with subsequent API activity reconstructs the real privilege path used during the intrusion.
Tools Required
AWS ConsoleAWS CLIAthenaSIEM
Collection Commands
AWS CLI
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole --start-time 2026-03-01T00:00:00Z --end-time 2026-03-07T23:59:59Z --output json > sts_assumerole_events.json
AWS CLI
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=sts.amazonaws.com --output json > sts_service_events.json
Athena
SELECT eventtime, useridentity.arn, eventname, requestparameters, sourceipaddress FROM cloudtrail_logs WHERE eventsource = 'sts.amazonaws.com' AND eventtime BETWEEN TIMESTAMP '2026-03-01 00:00:00' AND TIMESTAMP '2026-03-07 23:59:59';
Collection Constraints
- •STS activity is visible through CloudTrail, so gaps in trail retention or disabled regions directly reduce visibility.
- •Short-lived sessions require correlation with subsequent API activity to determine what the assumed role actually did.
MITRE ATT&CK Techniques
T1078.004T1550.001T1098