Skip to main content

AWS IAM policy modified to allow access to any resource

ID:aws_iam_policy_any_resource
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0004:T1098

Description

AlphaSOC detected a modification to an AWS IAM policy that allows access to any resource using CreatePolicy, CreatePolicyVersion, PutRolePolicy, PutUserPolicy, or PutGroupPolicy actions. This activity may increase the risk of privilege escalation and potential data breaches.

Impact

Allowing unrestricted access to any resource through AWS IAM policies can lead to privilege escalation, enabling unauthorized access to sensitive data or the manipulation of AWS resources. Such changes may impact multiple AWS services and accounts.

Severity

SeverityCondition
Low
AWS IAM policy modified to allow access to any resource

Investigation and Remediation

Review the AWS IAM policy modification to identify the responsible user or entity and determine if the change was authorized. If unauthorized, revert the policy to its previous state and analyze AWS CloudTrail logs to detect any misuse of expanded permissions.