Unexpected AWS API calls indicating IAM role trust policy modification failure
Description
AlphaSOC detected a failed attempt to update an AWS IAM role trust policy using
the UpdateAssumeRolePolicy API action. This action modifies the trust
relationship that defines which principals (users, roles, or AWS services) can
assume a role. Threat actors may attempt to modify trust policies to establish
persistence by allowing unauthorized entities to assume privileged roles within
the AWS environment.
Impact
Failed attempts to modify role trust policies may indicate reconnaissance activity where adversaries are probing for misconfigured permissions or attempting privilege escalation. While the immediate impact is limited due to the failure, these attempts often precede successful attacks. If eventually successful, such modifications could allow threat actors to maintain persistent access to AWS resources through compromised or malicious principals.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Examine CloudTrail logs to identify the source of the failed
UpdateAssumeRolePolicy attempts, including the requesting principal, IP
address, and target role. Verify whether these attempts were authorized. If
unauthorized, immediately rotate any potentially compromised credentials and
review trust policies for all sensitive roles to identify any successful
modifications.