Skip to main content

AWS IAM policy modified

ID:aws_iam_policy_modified
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0004:T1098

Description

AlphaSOC detected an unexpected modification of an AWS IAM policy. Adversaries can modify, delete or create AWS IAM policies to gain higher-level permissions on a system or network, maintain persistence, or impersonate legitimate users within the AWS environment.

Impact

An unauthorized change to an AWS IAM policy may indicate a potential system compromise. Such compromised credentials could grant attackers control over cloud resources, enabling them to delete, modify, or steal critical data

Severity

SeverityCondition
Informational
AWS IAM policy was modified unexpectedly
Low
AWS IAM policy granting full or admin access was attached

Investigation and Remediation

Review AWS CloudTrail logs to identify the modified AWS IAM policy, its content, and the user or role responsible for the change. If the modification is unauthorized, revert the policy to its previous state. Reset the credentials of the user who made the change, revoke all their active sessions, and enable multi-factor authentication (MFA) if it is not already in place.

Known False Positives

  • Authorized administrators modifying AWS IAM policies as part of routine account management