verify whether the user identity should be making changes in your environment. policy updates from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1078
aws
elastic

Techniques

T1078

Sample rules

AWS IAM Assume Role Policy Update

source: elastic
technicques:
- T1078

Description

Identifies AWS CloudTrail events where an IAM role’s trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the “cloud.account.id”, “user.name” and “aws.cloudtrail.flattened.request_parameters.roleName” fields, that have not been seen making this API request within the last 14 days.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "UpdateAssumeRolePolicy"
    and event.outcome: "success"
    and not source.address: "cloudformation.amazonaws.com"