Elastic Security Detection Rules

AWS IAM Login Profile Added for Root

Last updated 23 days ago on 2025-07-26
Created 9 months ago on 2024-12-02

About

Detects when an AWS IAM login profile is added to a root user account and is self-assigned. Adversaries, with temporary access to the root account, may add a login profile to the root user account to maintain access even if the original access key is rotated or disabled.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS IAMUse Case: Identity and Access AuditTactic: PersistenceLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

Valid Accounts (T1078)(opens in a new tab or window)

Account Manipulation (T1098)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(opens in a new tab or window)

Query
from logs-aws.cloudtrail* metadata _id, _version, _index
| where
    // filter for CloudTrail logs from IAM
    event.dataset == "aws.cloudtrail"
    and event.provider == "iam.amazonaws.com"

    // filter for successful CreateLoginProfile API call
    and event.action == "CreateLoginProfile"
    and event.outcome == "success"

    // filter for Root member account
    and aws.cloudtrail.user_identity.type == "Root"

    // filter for an access key existing which sources from AssumeRoot
    and aws.cloudtrail.user_identity.access_key_id is not null

    // filter on the request parameters not including UserName which assumes self-assignment
    and not to_lower(aws.cloudtrail.request_parameters) like "*username*"
| keep
    @timestamp,
    aws.cloudtrail.request_parameters,
    aws.cloudtrail.response_elements,
    aws.cloudtrail.user_identity.type,
    aws.cloudtrail.user_identity.arn,
    aws.cloudtrail.user_identity.access_key_id,
    cloud.account.id,
    event.action,
    source.address

Install detection rules in Elastic Security

Detect AWS IAM Login Profile Added for Root in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).