< Back to rules search
AWS IAM user escalating privileges
Detect when an AWS IAM user is attempting to escalate permissions.
This rule lets you monitor this GuardDuty integration finding:
Triage & Response
- Determine which user triggered the signal. This can be found in the signal.
- Determine if the user’s credentials are compromised.
- If the user’s credentials are compromised:
- Review the AWS [documentation] on remediating compromised AWS credentials.