<  Back to rules search

Possible Privilege Escalation via AWS IAM CreateLoginProfile






Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Detect a user attempting to create a password for a specified IAM user.


This rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the CreateLoginProfile API call.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Remove any passwords generated by the user with the aws-cli command delete-login-profile or use the AWS Console.
  1. If the API call was made by the user:
  • Determine if the user should be performing this API call.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.