<  Back to rules search

AWS IAM user escalating privileges

guardduty

Classification:

attack

Tactic:

Goal

Detect when an AWS IAM user is attempting to escalate permissions.

Strategy

This rule lets you monitor this GuardDuty integration finding:

Triage and response

  1. Determine which user triggered the signal. This can be found in the signal.
  2. Determine if the user’s credentials are compromised.
  3. If the user’s credentials are compromised:
  • Review the AWS [documentation][3] on remediating compromised AWS credentials.