Techniques
Sample rules
AWS IAM Customer-Managed Policy Attached to Role by Rare User
- source: elastic
- technicques:
- T1548
Description
Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS account, granting specific permissions to roles or users when attached. This rule identifies potential privilege escalation by flagging cases where a customer-managed policy is attached to a role by an unexpected actor, which could signal unauthorized access or misuse. Attackers may attach policies to roles to expand permissions and elevate their privileges within the AWS environment. This is a New Terms rule that uses the “cloud.account.id”, “user.name” and “target.entity.id” fields to check if the combination of the actor identity and target role name has not been seen before.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "iam.amazonaws.com"
and event.action: "AttachRolePolicy"
and event.outcome: "success"
and not related.entity: arn\:aws\:iam\:\:aws\:policy*