Skip to content

AssumeRole

AWS

AssumeRole

service: AWS - STS
techniques:

Event

Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role’s permissions.

Security Context

  • Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Cross-account role assumption enables lateral movement between cloud accounts, potentially reaching production or sensitive environments.

Log Source

CloudTrail

Sample Event

Hermione assumes GraphornAdminRole from her IAM user using the AWS CLI.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAHERM10NE000ADM1N",
"arn": "arn:aws:iam::555123456789:user/hermione",
"accountId": "555123456789",
"accessKeyId": "AKIAHERM10NEEXAMPLE1",
"userName": "hermione"
},
"eventTime": "2026-04-15T13:42:11Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.42",
"userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/sts.assume-role",
"requestParameters": {
"roleArn": "arn:aws:iam::555123456789:role/GraphornAdminRole",
"roleSessionName": "hermione-graphorn-session",
"sourceIdentity": "hermione",
"durationSeconds": 3600
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIAGRAPH0RNSESS1ON1",
"sessionToken": "<encoded session token blob>",
"expiration": "Apr 15, 2026, 2:42:11 PM"
},
"assumedRoleUser": {
"assumedRoleId": "AROAGRAPH0RNADM1NR01:hermione-graphorn-session",
"arn": "arn:aws:sts::555123456789:assumed-role/GraphornAdminRole/hermione-graphorn-session"
},
"sourceIdentity": "hermione"
},
"requestID": "90000000-0000-4000-8000-000000000001",
"eventID": "90000000-0000-4000-8000-000000000010",
"readOnly": true,
"resources": [
{
"accountId": "555123456789",
"type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::555123456789:role/GraphornAdminRole"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.us-east-1.amazonaws.com"
}
}

Analyst Notes

AssumeRole is one of the highest-volume CloudTrail events. It fires constantly from normal operations: IAM Identity Center (SSO) sessions, CI/CD and IaC tooling (Terraform, GitHub Actions OIDC), AWS services assuming their own service roles, and documented cross-account access.

A given instance is worth a closer look when the surrounding details break from that baseline: a roleArn in an unexpected account, a sourceIPAddress outside known ranges, a roleSessionName that looks tool-generated, a jump to a far more privileged role than the caller normally uses, or an assumption immediately followed by discovery (GetCallerIdentity, ListBuckets) or sensitive reads. Role chaining, where an already-assumed role assumes another, appears in userIdentity.sessionContext and is worth baselining for a given environment.

Key Fields

  • userIdentity.arn — who initiated the call
  • requestParameters.roleArn — the role assumed, and which account it lives in
  • requestParameters.roleSessionName — frequently reveals the tooling used
  • sourceIPAddress — origin of the request
  • responseElements.assumedRoleUser.arn — the resulting identity
  • userIdentity.sessionContext — present when the caller was itself an assumed role (role chaining)

References

MITRE ATT&CK Mapping

Tactics: Initial Access Privilege Escalation Lateral Movement Stealth

Techniques:
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...