Techniques
Sample rules
AWS IAM Assume Role Policy Update
- source: elastic
- technicques:
- T1078
Description
Identifies AWS CloudTrail events where an IAM role’s trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the “cloud.account.id”, “user.name” and “target.entity.id” fields, that have not been seen making this API request.
Detection logic
event.dataset: "aws.cloudtrail"
and event.provider: "iam.amazonaws.com"
and event.action: "UpdateAssumeRolePolicy"
and event.outcome: "success"
and not source.address: "cloudformation.amazonaws.com"