RoleSentry: A Multi-Stage Framework for Explainable Detection of AWS Role Chaining Attacks

AWS AssumeRole enables essential automation but also provides attackers with a primary mechanism for privilege escalation and lateral movement. Security teams face two critical challenges: identifying suspicious individual AssumeRole events within overwhelming legitimate activity and detecting when sequences of seemingly benign events form malicious role-chaining attacks. RoleSentry addresses both challenges through a novel three-stage framework combining behavioral filtering, ensemble anomaly detection, and graph neural networks. The system first applies a lightweight behavioral trait filter that automatically suppresses routine service-to-service automation, resulting in a 12.3% volume reduction with zero conflicting classifications. Filtered events undergo parallel analysis: an ensemble model scores individual events using contextual features, while a graph neural network analyzes temporal graphs to detect multi-step chaining patterns. The system provides SHAP-based explanations for analyst interpretation. We evaluated RoleSentry on a large corpus of AssumeRole events collected from over 30 days. Compared to Amazon GuardDuty, RoleSentry reduced false positive alerts by 98% and identified 25 sophisticated attacks that the commercial service missed entirely, includ-ing complex role-chaining scenarios. The results demonstrate that combining behavioral filtering with graph-based analysis provides operationally viable detection of both isolated and chained AssumeRole abuse.