AWS AssumeRole
Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role's permissions.
Initial Access
Initial Access
Section titled “Initial Access”The adversary is trying to get into your network.
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
In cloud environments, initial access often involves compromised credentials, misconfigured identity providers, or exploiting exposed cloud services. Adversaries may leverage stolen API keys, abuse federated authentication (SAML/OIDC), or exploit publicly accessible storage buckets and serverless endpoints to establish their first foothold.
View Initial Access on MITRE ATT&CK →Events Related to Initial Access
Section titled “Events Related to Initial Access”AWS AssumeRoleWithSAML
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
AWS AssumeRoleWithWebIdentity
Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.
AWS AuthorizeSecurityGroupIngress
Adds inbound rules to a VPC security group, permitting traffic from specified IP ranges or security groups to reach instances.
GCP compute.instances.addAccessConfig
Adds an external IP access configuration to an instance, exposing an internal resource to the internet.
AWS ConsoleLogin
Records a sign-in attempt to the AWS Management Console, capturing success or failure status and whether MFA was used.
AWS GetFederationToken
Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.
AWS GetSigninToken
Generates a sign-in token used to construct a federation URL for single sign-on to the AWS Management Console.
AWS PasswordRecoveryRequested
Records a request to recover or reset the AWS account root user password via the password reset process.