AWS Sensitive IAM Operations Performed via CloudShell

Last updated 7 days ago on 2026-02-18

Created 15 days ago on 2026-02-10

About

Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailData Source: AWS IAMTactic: PersistenceTactic: Privilege EscalationUse Case: Threat DetectionLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Create Account (T1136)(external, opens in a new tab or window)

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples

Administrators may legitimately use CloudShell for IAM management tasks during routine operations or troubleshooting. Verify whether the user, source IP, and specific actions align with expected administrative workflows. Establish a baseline of normal CloudShell usage patterns to reduce false positives.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: (
        "CreateAccessKey" or
        "CreateUser" or
        "AttachUserPolicy" or
        "PutUserPolicy" or
        "CreateRole" or
        "AttachRolePolicy" or
        "PutRolePolicy" or
        "CreateInstanceProfile" or
        "AddRoleToInstanceProfile"
    )
    and event.outcome: "success"
    and user_agent.original: *CloudShell*

Install detection rules in Elastic Security

Detect AWS Sensitive IAM Operations Performed via CloudShell in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).