AWS IAM Assume Role Policy Update
editAWS IAM Assume Role Policy Update
editIdentifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.
Rule type: query
Rule indices:
- filebeat-*
Severity: low
Risk score: 21
Runs every: 10 minutes
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- AWS
- Elastic
- SecOps
- Identity and Access
- Continuous Monitoring
Version: 1
Added (Elastic Stack release): 7.9.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editVerify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If a known behavior is causing false positives, it can be excluded from the rule.
Investigation guide
editThe AWS Filebeat module must be enabled to use this rule.
Rule query
editevent.module:aws and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/