AssumeRoleWithSAML
Event
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
Security Context
- Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Cross-account role assumption enables lateral movement between cloud accounts, potentially reaching production or sensitive environments.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Initial Access Privilege Escalation Lateral Movement
Techniques:
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...