Skip to main content

AWS policy modified to allow unknown principal to assume an IAM role

ID:aws_iam_policy_role_external_principal
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC detected that an AWS policy was modified, allowing an unknown principal to assume an AWS IAM role using the CreateRole or UpdateAssumeRolePolicy actions. Such modifications may grant unauthorized access to AWS resources. Adversaries often target AWS IAM roles to escalate privileges or maintain persistence.

Impact

A threat actor who successfully assumes an AWS IAM role could potentially access sensitive data, modify resources, or launch further attacks within the AWS environment. This may lead to data breaches, service disruptions, or unauthorized AWS service usage, potentially resulting in significant costs.

Severity

SeverityCondition
Medium
AWS policy modified to allow unknown principal to assume an IAM role

Investigation and Remediation

Investigate the affected AWS IAM role and the policy changes. Review AWS CloudTrail logs to identify the user or entity responsible for the modification and verify whether it was authorized. If unauthorized, revoke the permissions of the potentially compromised user accounts, revert the AWS IAM role to its original configuration, and investigate for signs of further compromise.