AWS policy modified to allow unknown principal to assume an IAM role
Description
AlphaSOC detected that an AWS policy was modified, allowing an unknown principal
to assume an AWS IAM role using the CreateRole or UpdateAssumeRolePolicy
actions. Such modifications may grant unauthorized access to AWS resources.
Adversaries often target AWS IAM roles to escalate privileges or maintain persistence.
Impact
A threat actor who successfully assumes an AWS IAM role could potentially access sensitive data, modify resources, or launch further attacks within the AWS environment. This may lead to data breaches, service disruptions, or unauthorized AWS service usage, potentially resulting in significant costs.
Severity
| Severity | Condition |
|---|---|
Medium | AWS policy modified to allow unknown principal to assume an IAM role |
Investigation and Remediation
Investigate the affected AWS IAM role and the policy changes. Review AWS CloudTrail logs to identify the user or entity responsible for the modification and verify whether it was authorized. If unauthorized, revoke the permissions of the potentially compromised user accounts, revert the AWS IAM role to its original configuration, and investigate for signs of further compromise.