AWS IAM Roles Anywhere User Profile Creation

cloudtrail

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Goal

Detect when an IAM Roles Anywhere profile is created.

Strategy

This rule monitors CloudTrail logs for CreateProfile API calls. An attacker may attempt to create a profile, a list of the roles that the AWS IAM Roles Anywhere service is trusted to assume. Profiles are used to intersect permissions with IAM managed policies.

Triage & response

  1. Determine if the API call {{@evt.name}} should have been performed by the user {{@userIdentity.arn}}:
    • Contact the user to confirm if they made the API call.
  2. If the API call was not made by the user:
    • Rotate the user credentials.
    • Determine what actions the user took and which new access keys the user created.
    • Begin your organization’s incident response process and investigate.

References