Cloud Security

Unified Detections with Sweet: Detecting Cross-Account Role Assumptions

Lea Edelstein

Head of Product

December 22, 2024

Share

Attackers are known to hop across accounts to escalate privileges and exfiltrate data. At Sweet, we excel in protecting against unified attacks using a combination of sensor data, cloud logs, and advanced baseline mechanisms that analyze your cloud environments. 

In this blog, we’ll explore an attack recently seen in a customer’s environment involving cross-account role assumptions, detailing how our technologies work together to uncover and analyze such complex incidents.

What is a “Cross-Account Role Assumption”?

A cross-account role assumption is a method that allows one cloud account to access resources or perform actions as another account by assuming a specific role. For example, Account A  creates a role (S3AccessRole) granting read access to an S3 bucket and allows Account B to assume the role.

In this particular mentioned attack, the adversary began by exploiting a weak link in the chain—an exposed token within a pod's configuration map. With this token, they assumed the identity of two distinct AWS cloud accounts in succession. Once entrenched with the privileges of the second account, the attacker accessed and exfiltrated sensitive information from an S3 bucket. But the breach didn’t stop there. The attacker then turned destructive, deleting a separate S3 bucket altogether. To mask their tracks and delay detection, they strategically deleted the activity logs tied to both compromised roles.

Diagram of cross-account role assumption.

To summarize: 

  • The attack involved two separate accounts, leveraging their legitimate permissions to move laterally in the environment. 
  • The attacker targeted specific cloud resources, including EC2 instances and S3 buckets, and performed unauthorized deletions.

Multi-Layered Detection in Action: A Step-by-Step Analysis

Data from multiple sources—sensors and logs—played a crucial role in uncovering the details of this attack. By correlating activities across cloud accounts, roles, and resources, Sweet was able to identify and present the attack as a unified incident. Here is how Sweet’s platform analyzed the incident: 

1. Identifying the Scope: Cross-Account Relationships

The first step in our detection process is understanding the breadth of the attack. Our system immediately flags that two accounts are involved. This insight is critical because cross-account activities often signal privilege escalation attempts or lateral movement, which are high-risk behaviors.

By analyzing the relationships between roles and accounts, our platform identifies:

  • The roles used in each account and their respective permissions.
  • The targets involved, such as EC2 instances and buckets, which give SecOps teams a clear understanding of what’s at stake.

See which accounts were targeted by the adversary.

2. Sensor and Log Correlation: Unifying Events Across Apps, Workloads, and Cloud

Sweet’s detection engine integrates data from two key sources:

  • Sensors: Deployed at the workload and application level, our sensor monitors real-time activity. They detect suspicious processes, role usage, and other runtime behaviors.
  • Logs: Cloud logs provide a historical record of actions like API calls, role assumptions, and resource modifications.

By correlating these two data streams, we ensure no detail is overlooked. For instance, while logs might show the role assumption, our sensor can provide additional context, such as the specific processes initiated by the attacker post-assumption.

Note that both cloud logs and sensor data were utilized to spot the attack.

3. Attack Path Visualization: Connecting the Dots

To make complex attack scenarios understandable, Sweet generates a detailed visual graph of each incident. This graph illustrates:

  • Manual intervention: Identifying the user and roles involved, including their specific actions.
  • Cross-account role usage: Highlighting how roles were assumed and used across accounts.
  • Resource targeting: Displaying EC2 instances, S3 buckets, and other resources involved in the incident.

For example, in this scenario, the graph clearly shows how the attacker leveraged one role to assume another and subsequently targeted multiple resources.

Determine which roles were compromised and what the attacker did with each account/role.

4. Detailed Findings: Tracking the Attacker’s Actions

Sweet captures every action taken by the attacker, including:

  • Role assumptions: The attacker’s ability to assume roles across accounts, a key step in privilege escalation.
  • Resource modifications: Unauthorized deletions of EC2 instances and S3 buckets, likely intended to disrupt operations or cover tracks.
  • Target mapping: A detailed view of all affected resources, helping prioritize response efforts.
Understand exactly what the attacker did, when, and why.

Step 5: Resolve and Prevent Similar Attacks in the Future 

To prevent and stop attacks like this, security teams need to first understand how the adversary infiltrated the environment and gained initial access. Whether it was a misconfigured pod, deployment, or AWS account, teams need to reinforce security controls around these entry points. 

The root cause of this attack—an unmanaged, stolen token—was all it took for the adversary to enter the environment, move laterally, and delete cloud resources. Secrets like tokens must be carefully managed, encrypted, and rotated regularly, with exposure risks minimized through best practices. Sweet Security offers best-in-class detection and remediation assistance for such misconfigurations, ensuring your environment is fortified against future breaches.

A Complete Picture of Cloud Security

This cross-account role assumption attack showcases Sweet Security’s ability to detect, analyze, and visualize sophisticated breach attempts. By leveraging sensor data, logs, and advanced analytics, our platform provides unparalleled insights into cloud environments.

Why Sweet Stands Out

🍭 Holistic Visibility Across Accounts

Unified detection across cloud accounts ensures no malicious activity slips through the cracks. Our system connects seemingly unrelated actions, revealing how attackers exploit multi-account setups.

🍭 Correlated Multi-Layer Data

Combining real-time sensor data from your applications and workloads with cloud logs provides unmatched depth and accuracy in detection. This multi-layered approach ensures SecOps teams can detect, analyze, and respond with confidence.

🍭 Actionable Insights with Advanced Analytics

Our platform doesn’t just detect anomalies—it explains them. The combination of visual graphs, anomaly heat maps, and filtered findings empowers teams to act decisively.

🍭 Proactive Risk Management

Sweet Security highlights not just what the attacker did but also the potential risks and impacts, enabling proactive risk mitigation. For instance, by showing the roles involved, their permissions, and the targeted resources, teams can tighten controls to prevent future incidents.

Want to see how Sweet Security can help protect your organization from unified attacks like this? Contact us to schedule a demo or learn more about our unified detection capabilities. Together, we can secure your cloud environment against even the most complex threats.

Share the Sweetness