LoFP / infrastructure-as-code, ci/cd, and iam administrators routinely publish new policy versions or roll back defaults. validate the policy arn, change tickets, and whether the policy document broadens permissions. exclude automation roles or pipelines after review.

Techniques

• T1098
• T1548

Sample rules

AWS IAM Customer Managed Policy Version Created or Default Version Set

• source: elastic
• technicques:
  • T1098
  • T1548

Description

Identifies successful IAM API calls that create a new customer managed policy version or set the default version for an existing customer managed policy. Attackers with iam:CreatePolicyVersion or iam:SetDefaultPolicyVersion on a privileged policy can introduce a permissive policy document and activate it, escalating effective permissions without attaching a new policy. These APIs are high impact when the target policy is attached to powerful roles or users.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: ("CreatePolicyVersion" or "SetDefaultPolicyVersion")
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService" 
    and not aws.cloudtrail.user_identity.arn:arn*/terraform 
    and not source.as.organization.name:(Amazon* or AMAZON* or "Google LLC" or "MongoDB, Inc.")
    and not source.address: ( "cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com")