AssumeRole
AssumeRole
Event
Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role’s permissions.
Security Context
- Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Cross-account role assumption enables lateral movement between cloud accounts, potentially reaching production or sensitive environments.
Log Source
CloudTrail
Sample Event
Hermione assumes GraphornAdminRole from her IAM user using the AWS CLI.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDAHERM10NE000ADM1N", "arn": "arn:aws:iam::555123456789:user/hermione", "accountId": "555123456789", "accessKeyId": "AKIAHERM10NEEXAMPLE1", "userName": "hermione" }, "eventTime": "2026-04-15T13:42:11Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRole", "awsRegion": "us-east-1", "sourceIPAddress": "198.51.100.42", "userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/sts.assume-role", "requestParameters": { "roleArn": "arn:aws:iam::555123456789:role/GraphornAdminRole", "roleSessionName": "hermione-graphorn-session", "sourceIdentity": "hermione", "durationSeconds": 3600 }, "responseElements": { "credentials": { "accessKeyId": "ASIAGRAPH0RNSESS1ON1", "sessionToken": "<encoded session token blob>", "expiration": "Apr 15, 2026, 2:42:11 PM" }, "assumedRoleUser": { "assumedRoleId": "AROAGRAPH0RNADM1NR01:hermione-graphorn-session", "arn": "arn:aws:sts::555123456789:assumed-role/GraphornAdminRole/hermione-graphorn-session" }, "sourceIdentity": "hermione" }, "requestID": "90000000-0000-4000-8000-000000000001", "eventID": "90000000-0000-4000-8000-000000000010", "readOnly": true, "resources": [ { "accountId": "555123456789", "type": "AWS::IAM::Role", "ARN": "arn:aws:iam::555123456789:role/GraphornAdminRole" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "sts.us-east-1.amazonaws.com" }}Analyst Notes
AssumeRole is one of the highest-volume CloudTrail events. It fires constantly from normal operations: IAM Identity Center (SSO) sessions, CI/CD and IaC tooling (Terraform, GitHub Actions OIDC), AWS services assuming their own service roles, and documented cross-account access.
A given instance is worth a closer look when the surrounding details break from that baseline: a roleArn in an unexpected account, a sourceIPAddress outside known ranges, a roleSessionName that looks tool-generated, a jump to a far more privileged role than the caller normally uses, or an assumption immediately followed by discovery (GetCallerIdentity, ListBuckets) or sensitive reads. Role chaining, where an already-assumed role assumes another, appears in userIdentity.sessionContext and is worth baselining for a given environment.
Key Fields
userIdentity.arn— who initiated the callrequestParameters.roleArn— the role assumed, and which account it lives inrequestParameters.roleSessionName— frequently reveals the tooling usedsourceIPAddress— origin of the requestresponseElements.assumedRoleUser.arn— the resulting identityuserIdentity.sessionContext— present when the caller was itself an assumed role (role chaining)
References
- AWS: STS AssumeRole API reference
- Lateral movement between AWS accounts — abusing trust relationships (Summit Route)
- Real-world: SCARLETEEL (Sysdig, 2023) — container compromise leading to AWS credential theft and cross-account movement via assumed roles
MITRE ATT&CK Mapping
Tactics: Initial Access Privilege Escalation Lateral Movement Stealth
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...