Sign in Subscribe
Concepts

CloudTrail Queries and Runbooks for AWS Privilege Escalation Detection

Andrios Robert

1 min read

The alert hits at 02:17 UTC. CloudTrail logs show an API call you didn’t expect. A low-privilege user is now running actions reserved for admin roles. Privilege escalation is in motion.

If you don’t have a runbook and a fast query at hand, you lose minutes you can’t spare. This is where a precise CloudTrail query for privilege escalation detection becomes the backbone of your response plan.

Why Privilege Escalation Matters
Privilege escalation in AWS can happen through role assumption, attached policies, misconfigured trust relationships, or malicious use of temporary credentials. Once an actor moves from a low-privilege role to a high-privilege role, they can disable logging, exfiltrate data, or destroy resources. CloudTrail captures every API call, but the signal is buried in noise.

CloudTrail Queries for Escalation Events
To build a reliable privilege escalation CloudTrail query, filter for events like:

  • AssumeRole with unexpected source users
  • AttachUserPolicy or PutRolePolicy from non-admin users
  • UpdateAssumeRolePolicy changes to high-value roles
  • Use of CreateAccessKey or CreateLoginProfile by escalated accounts

Example Athena query snippet targeting suspicious AssumeRole calls:

SELECT eventTime, userIdentity.type, userIdentity.arn, eventSource, eventName, requestParameters.roleArn, sourceIPAddress
FROM cloudtrail_logs
WHERE eventName = 'AssumeRole'
 AND userIdentity.arn NOT LIKE '%Admin%'
 AND sourceIPAddress NOT IN ('trusted-ip-1', 'trusted-ip-2')
ORDER BY eventTime DESC

This should be combined with IAM context and session details to confirm escalation. Fine-tune filters to reduce false positives without missing key events.

Runbooks for Incident Response
A privilege escalation runbook defines the steps from detection to containment. Core elements:

  1. Detection – Automated alerts from CloudTrail queries integrated with monitoring tools.
  2. Verification – Cross-check against IAM role permissions and user change history.
  3. Containment – Disable or revoke temporary credentials, detach policies, block access paths.
  4. Eradication – Patch misconfigurations, rotate keys, remove malicious artifacts.
  5. Recovery – Restore normal role trust policies and re-enable services.
  6. Post-incident Review – Audit logs, improve queries, update runbook steps.

Automation is Non-Negotiable
Run these queries on schedule and on-demand. Trigger workflows when high-risk events are found. Store runbooks with version control and keep them in sync with evolving AWS services.

A ready privilege escalation CloudTrail query and a tested response runbook turn a breach from catastrophe into a contained incident.

See how to build and run these workflows in minutes at hoop.dev — and watch it live before the next alert hits.

Sign up for more like this.

Enter your email
Subscribe