AWS IAM Roles Anywhere User Profile Creation

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an IAM Roles Anywhere profile is created.

Strategy

This rule monitors CloudTrail logs for CreateProfile API calls. An attacker may attempt to create a profile, a list of the roles that the AWS IAM Roles Anywhere service is trusted to assume. Profiles are used to intersect permissions with IAM managed policies.

Triage & response

  1. Determine if the API call {{@evt.name}} should have been performed by the user {{@userIdentity.arn}}:
    • Contact the user to confirm if they made the API call.
  2. If the API call was not made by the user:
    • Rotate the user credentials.
    • Determine what actions the user took and which new access keys the user created.
    • Begin your organization’s incident response process and investigate.

References