AWS IAM privileged policy was applied to a role

Classification:

attack

Tactic:

TA0004-privilege-escalation

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when the AdministratorAccess policy is attached to an AWS IAM role.

Strategy

This rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy AdministratorAccess to a new AWS IAM role via the AttachRolePolicy API call.

Triage and response

Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
If the API call was not made by the user:

Rotate user credentials.
Determine what other API calls were made by the user.
Remove the AdministratorAccess policy from the {{@requestParameters.roleName}} role using the aws-cli command detach-role-policy.

If the API call was made legitimately by the user:

Determine if the role {{@requestParameters.roleName}} requires the AdministratorAccess policy to perform its intended function.
Advise the user to find the least privileged policy that allows the role to operate as intended.