The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

« AWS GuardDuty Detector Deletion AWS IAM Brute Force of Assume Role Policy »

› › ›

AWS IAM Assume Role Policy Update

edit

AWS IAM Assume Role Policy Update

edit

Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.

Rule type: query

Rule indices:

filebeat-*

Severity: low

Risk score: 21

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws

Tags:

AWS
Elastic
SecOps
Identity and Access
Continuous Monitoring

Version: 1

Added (Elastic Stack release): 7.9.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If a known behavior is causing false positives, it can be excluded from the rule.

Investigation guide

edit

The AWS Filebeat module must be enabled to use this rule.

Rule query

edit

event.module:aws and event.dataset:aws.cloudtrail and
event.provider:iam.amazonaws.com and
event.action:UpdateAssumeRolePolicy and event.outcome:success

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

« AWS GuardDuty Detector Deletion AWS IAM Brute Force of Assume Role Policy »