AWS IAM policy granting full or admin access attached
Description
AlphaSOC detected an unexpected modification of an AWS IAM policy. Adversaries can modify, delete or create AWS IAM policies to gain higher-level permissions on a system or network, maintain persistence, or impersonate legitimate users within the AWS environment.
Impact
An unauthorized change to an AWS IAM policy may indicate a potential system compromise. Such compromised credentials could grant attackers control over cloud resources, enabling them to delete, modify, or steal critical data
Severity
Severity | Condition |
---|---|
Informational | AWS IAM policy was modified unexpectedly |
Low | AWS IAM policy granting full or admin access was attached |
Investigation and Remediation
Review AWS CloudTrail logs to identify the modified AWS IAM policy, its content, and the user or role responsible for the change. If the modification is unauthorized, revert the policy to its previous state. Reset the credentials of the user who made the change, revoke all their active sessions, and enable multi-factor authentication (MFA) if it is not already in place.
Known False Positives
- Authorized administrators modifying AWS IAM policies as part of routine account management