AN1105: Analytic 1105
Multiple AWS CloudTrail events indicating temporary privilege escalation via PassRole and AssumeRole targeting newly created services or non-interactive infrastructure.
Analyst context for executives and security teams
This analytic matters because it focuses on a high-value cloud identity pattern: temporary privilege escalation in AWS through PassRole and AssumeRole activity tied to newly created services or non-interactive infrastructure. For leaders, the practical issue is whether cloud activity that grants or assumes roles can be explained as approved automation, or whether it creates a fast path to expanded access before responders notice.
Executive priority
Prioritize this as a cloud identity and incident-readiness validation item. The business risk is not the existence of AWS roles themselves, but insufficient visibility and governance around who or what can pass and assume them, especially when new infrastructure is created. Executives should ask whether CloudTrail is retained and reviewed, whether role-use exceptions are auditable, and whether incident teams can quickly distinguish approved deployment automation from suspicious privilege changes.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring around AWS CloudTrail events involving PassRole and AssumeRole, with attention to sequences involving newly created services or non-interactive infrastructure. Because the official object provides no detailed detection logic, teams should treat AN1105 as a detection objective rather than a ready-to-deploy rule. Local baselining is important: CI/CD systems, infrastructure-as-code pipelines, service principals, and scheduled automation may legitimately generate similar events.
Likely telemetry
- AWS CloudTrail management events
- IAM role assumption and role passing events
- Cloud infrastructure creation events for newly created services
- Identity context for users, roles, service principals, and automation accounts
- Timestamps and event sequences linking role activity to infrastructure changes
Detection direction
- Confirm CloudTrail coverage for the relevant AWS accounts and regions where IaaS activity occurs.
- Correlate PassRole and AssumeRole events with creation or modification of cloud services and non-interactive infrastructure.
- Baseline expected automation such as deployment pipelines and service-managed role usage to reduce false positives.
- Alert on unusual role passing or assumption patterns that deviate from known infrastructure workflows, especially when tied to newly created resources.
- Preserve enough event context to support incident triage: actor, assumed role, target service, timing, and related resource creation events.
Mitigation priorities
- Review IAM governance for who or what can use PassRole and AssumeRole permissions.
- Apply least-privilege design to roles used by services and automation.
- Separate and document approved infrastructure automation paths so anomalous role use is easier to identify.
- Ensure CloudTrail logging, retention, and access for IR and compliance evidence are in place across relevant IaaS environments.
- Periodically test whether SOC workflows can triage suspicious role passing and role assumption without relying on manual cloud console inspection alone.
Analyst notes and limits
AN1105 is a detection analytic in the enterprise ATT&CK domain for IaaS, specifically AWS CloudTrail evidence of temporary privilege escalation using PassRole and AssumeRole against newly created services or non-interactive infrastructure. There are no supplied tactics, relationships, labels, aliases, or official detection logic, so the take is framed as a validation and coverage objective rather than a complete detection rule.
This summary uses only the supplied ATT&CK fields and external reference. It does not establish active exploitation, attribution, impact, or existing customer exposure. Because no relationships or official detection content were provided, implementation details, severity, and false-positive handling must be determined from local AWS architecture, IAM design, automation patterns, and CloudTrail availability.
Analytic 1105
Multiple AWS CloudTrail events indicating temporary privilege escalation via PassRole and AssumeRole targeting newly created services or non-interactive infrastructure.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3c86b7f6cca4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1105Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.