Multiple failed AWS assume role attempts

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-05-18

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	5 Days
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Discovery (TA0007) Privilege Escalation (TA0004)
ATT&CK Technique	Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Account Discovery: Cloud Account (T1087.004)
Severity	Informational

An AWS identity performed an unusual high number of failed assume role attempts.

Identify accessible roles and move laterally or escalate privileges within a cloud environment.

Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious.
Evaluate if the source IP address or user agent associated with these attempts is known or suspicious.
Verify if any successful assume role operations occurred from the same identity around the same time.
Review any additional activity from the specific roles the identity assumed.

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

An AWS identity performed an unusual high number of failed assume role attempts.

Identify accessible roles and move laterally or escalate privileges within a cloud environment.

Check if the attempting identity is aware of this activity and if its recent behavior appears suspicious.
Evaluate if the source IP address or user agent associated with these attempts is known or suspicious.
Verify if any successful assume role operations occurred from the same identity around the same time.
Review any additional activity from the specific roles the identity assumed.