Elastic Security Detection Rules

AWS IAM Customer-Managed Policy Attached to Role by Rare User

Last updated 14 days ago on 2024-11-07
Created 17 days ago on 2024-11-04

About

Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS account, granting specific permissions to roles or users when attached. This rule identifies potential privilege escalation by flagging cases where a customer-managed policy is attached to a role by an unexpected actor, which could signal unauthorized access or misuse. Attackers may attach policies to roles to expand permissions and elevate their privileges within the AWS environment. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that uses the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.flattened.request_parameters.roleName` fields to check if the combination of the actor ARN and target role name has not been seen in the last 14 days.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS IAMUse Case: Identity and Access AuditTactic: Privilege Escalation
Severity
low
Risk Score
21
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(opens in a new tab or window)

False Positive Examples
Legitimate IAM administrators may attach customer-managed policies to roles for various reasons, such as granting temporary permissions or updating existing policies. Ensure that the user attaching the policy is authorized to do so and that the action is expected.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.action: "AttachRolePolicy"
    and event.outcome: "success"
    and not aws.cloudtrail.flattened.request_parameters.policyArn: arn\:aws\:iam\:\:aws\:policy*

Install detection rules in Elastic Security

Detect AWS IAM Customer-Managed Policy Attached to Role by Rare User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).