Skip to main content

IAM default policy set to an unexpected version

ID:aws_set_default_policy_version_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0004:T1098

Description

AlphaSOC detected the use of the SetDefaultPolicyVersion action, which updates the default AWS IAM policy version. This action affects all users, groups, and roles associated with the policy, and may indicate that threat actors are making unauthorized changes to access controls, potentially to escalate privileges within the AWS environment.

Impact

Changing the default policy version alters permissions across AWS services. This could lead to unauthorized access to sensitive data, privilege escalation, or destructive actions.

Severity

SeverityCondition
Informational
AWS IAM default policy version set
Low
AWS IAM default policy version set unexpectedly

Investigation and Remediation

Compare the changes between the previous and new default versions of the policy, and verify whether the action was authorized by a legitimate administrator. If unauthorized, revert the policy to its previous version, rotate compromised credentials, and assess the extent of potential damage.

Known False Positives

  • Authorized administrators making legitimate policy updates as part of routine maintenance
  • Rollback operations to a previous policy version after detecting issues with a new version