AWS IAM Assume Role Policy Update

Last updated 12 days ago on 2025-06-12

Created 5 years ago on 2020-07-06

About

Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the "cloud.account.id", "user.name" and "aws.cloudtrail.flattened.request_parameters.roleName" fields, that have not been seen making this API request within the last 14 days.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS IAMUse Case: Identity and Access AuditTactic: Privilege EscalationLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

False Positive Examples

Verify whether the user identity should be making changes in your environment. Policy updates from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "UpdateAssumeRolePolicy"
    and event.outcome: "success"
    and not source.address: "cloudformation.amazonaws.com"

Install detection rules in Elastic Security

Detect AWS IAM Assume Role Policy Update in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).