createrole is not very common in common users. this search can be adjusted to provide specific values to identify cases of abuse. in general aws provides plenty of trust policies that fit most use cases.

t1078
aws account
splunk

Techniques

T1078

Sample rules

aws detect role creation

source: splunk
technicques:
- T1078

Description

This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.

Detection logic

`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* 
| table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate 
| `aws_detect_role_creation_filter`