AWS API calls indicating IAM privilege escalation
Description
AlphaSOC detected an IAM policy change granting full CRUD (Create, Read, Update,
Delete) permissions on AWS Identity and Access Management resources. This
detection identifies policies combining iam:Create*, iam:Get*/List*,
iam:Update*, and iam:Delete* permissions and triggers on the following
policy events: CreatePolicy, CreatePolicyVersion, PutUserPolicy,
PutGroupPolicy, PutRolePolicy, AttachUserPolicy, AttachRolePolicy,
AttachGroupPolicy that introduce these permissions.
AWS IAM manages users, roles, and permissions governing access to AWS services. Full CRUD permissions grant complete control over access management, allowing an attacker to create highly privileged users or roles, modify role trust policies, or remove critical security controls.
Impact
If exploited, the attacker gains highly privileged access to the AWS environment. This enables creation of highly privileged users or roles, bypass of security controls, and persistence through policy manipulation.
Severity
| Severity | Condition |
|---|---|
Low | AWS API calls indicating IAM privilege escalation |
Investigation and Remediation
Check CloudTrail for the PutUserPolicy, PutGroupPolicy, PutRolePolicy, or
Attach\*Policy event that added IAM permissions. Verify whether the
permissions are required for legitimate use. If unauthorized, immediately detach
or delete the policy. Check IAM for users, roles, or policies created by the
principal. Look for new access keys, administrative policy attachments, or
modified role trust policies. Delete any unauthorized IAM entities and revert
any modified policies. Rotate credentials for the affected principal and any
compromised entities. Enable MFA enforcement on administrative users.
Known False Positives
- Authorized security teams provisioning IAM management permissions for centralized identity administration
- Identity governance platforms requiring comprehensive IAM access for compliance and audit functions