Skip to content

AssumeRoleWithSAML

AWS

AssumeRoleWithSAML

service: AWS - STS
techniques:

Event

Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.

Security Context

  • Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.
  • Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
  • Cross-account role assumption enables lateral movement between cloud accounts, potentially reaching production or sensitive environments.

Log Source

CloudTrail

Sample Event

Legitimate. Hermione signs in to AWS via the corporate SAML 2.0 IdP (an Okta tenant) using her hardware MFA, and the IdP issues an assertion that maps her to GraphornAdminRole in the production account. The SAML provider is registered as arn:aws:iam::555123456789:saml-provider/FantasticLogsOkta. The session is initiated through the IdP’s SSO flow, so sourceIPAddress is AWS Internal (the IdP-to-STS leg, per AWS docs); the role session name is hermione@fantasticlogs.cloud.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "SAMLUser",
"principalId": "Cdddddd0EXAMPLEsamlIDP=:hermione@fantasticlogs.cloud",
"userName": "hermione@fantasticlogs.cloud",
"identityProvider": "Cdddddd0EXAMPLEsamlIDP="
},
"eventTime": "2026-04-15T13:42:11Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRoleWithSAML",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "aws-internal/3 aws-sdk-java/1.12.479 Linux/5.10.186-157.751.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.7+11 java/17.0.7 kotlin/1.3.72 vendor/Amazon.com_Inc. cfg/retry-mode/standard",
"requestParameters": {
"sAMLAssertionID": "_c0046cEXAMPLEb9d4b8eEXAMPLE2619aEXAMPLE",
"roleSessionName": "hermione@fantasticlogs.cloud",
"principalTags": {
"Department": "SecurityEngineering",
"Email": "hermione@fantasticlogs.cloud"
},
"transitiveTagKeys": [
"Department",
"Email"
],
"roleArn": "arn:aws:iam::555123456789:role/GraphornAdminRole",
"principalArn": "arn:aws:iam::555123456789:saml-provider/FantasticLogsOkta",
"durationSeconds": 3600
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIAGRAPH0RNSESS1ON1",
"sessionToken": "<encoded session token blob>",
"expiration": "Apr 15, 2026, 2:42:11 PM"
},
"assumedRoleUser": {
"assumedRoleId": "AROAGRAPH0RNADM1NR01:hermione@fantasticlogs.cloud",
"arn": "arn:aws:sts::555123456789:assumed-role/GraphornAdminRole/hermione@fantasticlogs.cloud"
},
"packedPolicySize": 1,
"subject": "hermione@fantasticlogs.cloud",
"subjectType": "transient",
"issuer": "https://fantasticlogs.okta.com",
"audience": "https://signin.aws.amazon.com/saml",
"nameQualifier": "Cdddddd0EXAMPLEsamlIDP="
},
"requestID": "90000000-0000-4000-8000-000001101110",
"eventID": "90000000-0000-4000-8000-000001101111",
"readOnly": true,
"resources": [
{
"accountId": "555123456789",
"type": "AWS::IAM::Role",
"ARN": "arn:aws:iam::555123456789:role/GraphornAdminRole"
},
{
"accountId": "555123456789",
"type": "AWS::IAM::SAMLProvider",
"ARN": "arn:aws:iam::555123456789:saml-provider/FantasticLogsOkta"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "sts.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Initial Access Privilege Escalation Lateral Movement Stealth

Techniques:
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...