AssumeRoleWithSAML
AWS
AssumeRoleWithSAML
Event
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
Security Context
- Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Cross-account role assumption enables lateral movement between cloud accounts, potentially reaching production or sensitive environments.
Log Source
CloudTrail
Sample Event
Legitimate. Hermione signs in to AWS via the corporate SAML 2.0 IdP (an Okta tenant) using her hardware MFA, and the IdP issues an assertion that maps her to GraphornAdminRole in the production account. The SAML provider is registered as arn:aws:iam::555123456789:saml-provider/FantasticLogsOkta. The session is initiated through the IdP’s SSO flow, so sourceIPAddress is AWS Internal (the IdP-to-STS leg, per AWS docs); the role session name is hermione@fantasticlogs.cloud.
{ "eventVersion": "1.09", "userIdentity": { "type": "SAMLUser", "principalId": "Cdddddd0EXAMPLEsamlIDP=:hermione@fantasticlogs.cloud", "userName": "hermione@fantasticlogs.cloud", "identityProvider": "Cdddddd0EXAMPLEsamlIDP=" }, "eventTime": "2026-04-15T13:42:11Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoleWithSAML", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "aws-internal/3 aws-sdk-java/1.12.479 Linux/5.10.186-157.751.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.7+11 java/17.0.7 kotlin/1.3.72 vendor/Amazon.com_Inc. cfg/retry-mode/standard", "requestParameters": { "sAMLAssertionID": "_c0046cEXAMPLEb9d4b8eEXAMPLE2619aEXAMPLE", "roleSessionName": "hermione@fantasticlogs.cloud", "principalTags": { "Department": "SecurityEngineering", "Email": "hermione@fantasticlogs.cloud" }, "transitiveTagKeys": [ "Department", "Email" ], "roleArn": "arn:aws:iam::555123456789:role/GraphornAdminRole", "principalArn": "arn:aws:iam::555123456789:saml-provider/FantasticLogsOkta", "durationSeconds": 3600 }, "responseElements": { "credentials": { "accessKeyId": "ASIAGRAPH0RNSESS1ON1", "sessionToken": "<encoded session token blob>", "expiration": "Apr 15, 2026, 2:42:11 PM" }, "assumedRoleUser": { "assumedRoleId": "AROAGRAPH0RNADM1NR01:hermione@fantasticlogs.cloud", "arn": "arn:aws:sts::555123456789:assumed-role/GraphornAdminRole/hermione@fantasticlogs.cloud" }, "packedPolicySize": 1, "subject": "hermione@fantasticlogs.cloud", "subjectType": "transient", "issuer": "https://fantasticlogs.okta.com", "audience": "https://signin.aws.amazon.com/saml", "nameQualifier": "Cdddddd0EXAMPLEsamlIDP=" }, "requestID": "90000000-0000-4000-8000-000001101110", "eventID": "90000000-0000-4000-8000-000001101111", "readOnly": true, "resources": [ { "accountId": "555123456789", "type": "AWS::IAM::Role", "ARN": "arn:aws:iam::555123456789:role/GraphornAdminRole" }, { "accountId": "555123456789", "type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::555123456789:saml-provider/FantasticLogsOkta" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "sts.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Initial Access Privilege Escalation Lateral Movement Stealth
Techniques:
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...