<  Back to rules search

AWS IAM policy changed

cloudtrail

Classification:

attack

Tactic:

Technique:

Framework:

cis-aws

Control:

4.4

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect a change to an AWS IAM Policy.

Strategy

This rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:

Triage and response

  1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.
  2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.

Changelog

5 April 2022 - Updated rule and signal message.