AWS IAM default policy version set
Description
AlphaSOC detected the use of the SetDefaultPolicyVersion
action, which updates
the default AWS IAM policy version. This action affects all users, groups, and
roles associated with the policy, and may indicate that threat actors are making
unauthorized changes to access controls, potentially to escalate privileges
within the AWS environment.
Impact
Changing the default policy version alters permissions across AWS services. This could lead to unauthorized access to sensitive data, privilege escalation, or destructive actions.
Severity
Severity | Condition |
---|---|
Informational | AWS IAM default policy version set |
Low | AWS IAM default policy version set unexpectedly |
Investigation and Remediation
Compare the changes between the previous and new default versions of the policy, and verify whether the action was authorized by a legitimate administrator. If unauthorized, revert the policy to its previous version, rotate compromised credentials, and assess the extent of potential damage.
Known False Positives
- Authorized administrators making legitimate policy updates as part of routine maintenance
- Rollback operations to a previous policy version after detecting issues with a new version