<  Back to rules search

AWS IAM privileged policy was applied to a group

cloudtrail

Classification:

attack

Tactic:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when the AdministratorAccess policy is attached to an AWS IAM group.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy AdministratorAccess to a new AWS IAM group using the AttachGroupPolicy API call.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Remove the AdministratorAccess policy from the {{@requestParameters.groupName}} group using the aws-cli command detach-group-policy.
  1. If the API call was made legitimately by the user:
  • Determine if the group {{@requestParameters.groupName}} requires the AdministratorAccess policy to perform the intended function.
  • Advise the user to find the least privileged policy that allows the group to operate as intended.