LoFP / administrators may legitimately use cloudshell for iam management tasks during routine operations or troubleshooting. verify whether the user, source ip, and specific actions align with expected administrative workflows. establish a baseline of normal cloudshell usage patterns to reduce false positives.

Techniques

• T1098
• T1136

Sample rules

AWS Sensitive IAM Operations Performed via CloudShell

• source: elastic
• technicques:
  • T1098
  • T1136

Description

Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: (
        "CreateAccessKey" or
        "CreateUser" or
        "AttachUserPolicy" or
        "PutUserPolicy" or
        "CreateRole" or
        "AttachRolePolicy" or
        "PutRolePolicy" or
        "CreateInstanceProfile" or
        "AddRoleToInstanceProfile"
    )
    and event.outcome: "success"
    and user_agent.original: *CloudShell*