Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1136-create-account

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when an AWS IAM user is created and the managed AdministratorAccess policy is attached shortly after.

Strategy

This rule leverages CloudTrail and triggers if an CreateUser API call is followed by the AWS managed policy AdministratorAccess being attached for the requested IAM user within 10 minutes. This can be an indicator of an attacker trying to preserve access to the AWS environment and to ensure the level of privileges required to achieve their objectives.

Triage and response

1. Determine if {{@userIdentity.session_name}} should have carried out this operation.
2. If the API calls were not made by the user:

• Rotate user credentials.
• Remove the newly created IAM user {{@requestParameters.userName}}.
• Determine what other API calls were made by the user and the newly created user {{@requestParameters.userName}}.
• Begin your organization’s incident response process and investigate.

3. If the API call was made legitimately by the user:

• It is recommended that IAM roles are used for human users and workloads so that they use temporary credentials.
• If an IAM user is required, advise the user to find the least privileged policy that allows the user to operate as intended.
• If not, see if other API calls were made by the user and determine if they warrant further investigation.