< Back to rules search
AWS IAM User Escalating Privileges
Set up the guardduty integration.
Detect when an AWS IAM user is attempting to escalate permissions.
This rule lets you monitor this GuardDuty integration finding:
Triage & Response
- Determine which user triggered the signal. This can be found in the signal.
- Determine if the user’s credentials are compromised.
- If the user’s credentials are compromised:
- Review the AWS [documentation] on remediating compromised AWS credentials.