---
title: AWS IAM AdministratorAccess policy was applied to a role
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS IAM AdministratorAccess policy was
  applied to a role
---

# AWS IAM AdministratorAccess policy was applied to a role
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when the `AdministratorAccess` policy is attached to an AWS IAM role.

## Strategy{% #strategy %}

This rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator) to an AWS IAM role via the [`AttachRolePolicy`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html) API call.

## Triage and response{% #triage-and-response %}

1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.
1. If the API call was not made by the user:

- Rotate user credentials.
- Determine what other API calls were made by the user.
- Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html).
If the API call was made legitimately by the user:
- Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.
- Advise the user to find the [least privileged](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) policy that allows the role to operate as intended.