AWS policy modified to allow any principal to assume an IAM role
Description
AlphaSOC detected a modification to an AWS policy, made using either the
CreateRole or UpdateAssumeRolePolicy actions, that allows any principal
("Principal": "*") to assume an AWS IAM role. Such changes may indicate
privilege escalation attempts or efforts to establish persistence by an
adversary.
Impact
This change may indicate misconfiguration or an active attack where adversaries, having gained initial access, modify security settings to escalate privileges. This could potentially lead to unauthorized access to sensitive resources, data breaches, service disruptions, and further compromise of AWS infrastructure.
Severity
| Severity | Condition |
|---|---|
High | AWS policy modified to allow any principal to assume an IAM role |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or entity responsible, investigate AWS IAM role and policy changes, and verify whether modifications were authorized. If unauthorized, revert the AWS IAM policy to its previous state, rotate potentially compromised credentials, and perform a thorough security assessment to identify and address any additional security risks.