AWS IAM Inline Policy Added to a Group

About

Tags

Domain: CloudDomain: IdentityData Source: AWSData Source: Amazon Web ServicesData Source: AWS IAMUse Case: Threat DetectionTactic: Privilege EscalationTactic: PersistenceLanguage: kuery

Severity

medium

Risk Score

47

MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples

Identity and platform teams and infrastructure-as-code pipelines occasionally manage group inline policies as part of normal access governance. Verify the principal in `aws.cloudtrail.user_identity.arn`, the targeted group, and the policy document against approved change records. Known administration roles and deployment automation can be excluded after validation.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-aws.cloudtrail-*

Related Integrations

aws(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗data_stream.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "PutGroupPolicy"
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AWSService"
    and not user_agent.original: (*terraform* or *pulumi* or *ansible*)
    and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)
    and not source.as.organization.name: (Amazon* or AMAZON* or Google*)
    and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com")