AWS IAM AdministratorAccess policy was applied to a user

cloudtrail

Classification:

attack

Tactic:

TA0004-privilege-escalation

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when the AdministratorAccess policy is attached to an AWS IAM user.

Strategy

This rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy AdministratorAccess to an AWS IAM user using the AttachUserPolicy API call.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Remove the AdministratorAccess policy from the {{@requestParameters.userName}} user using the aws-cli command detach-user-policy.
  1. If the API call was made legitimately by the user:
  • Determine if the user {{@requestParameters.userName}} requires the AdministratorAccess policy to perform the intended function.
  • Advise the user to find the least privileged policy that allows the user to operate as intended.