LoFP LoFP / valid usage of s3 browser for iam loginprofile listing and/or creation

Techniques

Sample rules

AWS IAM S3Browser LoginProfile Creation

Description

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Detection logic

condition: selection
selection:
  eventName:
  - GetLoginProfile
  - CreateLoginProfile
  eventSource: iam.amazonaws.com
  userAgent|contains: S3 Browser