Detection Library
highproductionAWSCloudT1098T1078.004
AWS CloudTrail — Suspicious IAM Policy Attachment
Detects when overly permissive IAM policies (AdministratorAccess, FullAccess) are attached to roles or users.
Updated Dec 1, 2024 · Detection Engineering Team
awsiamprivilege-escalationcloud
Problem Statement
Attaching overly permissive IAM policies is a common privilege escalation path in AWS environments. It often indicates either account compromise or insider threat.
Sample Logs
{"eventVersion":"1.08","eventSource":"iam.amazonaws.com","eventName":"AttachRolePolicy","requestParameters":{"roleName":"lambda-exec-role","policyArn":"arn:aws:iam::aws:policy/AdministratorAccess"},"userIdentity":{"arn":"arn:aws:iam::123456789:user/admin","type":"IAMUser"}}Required Fields
eventSource
eventName
requestParameters.policyArn
userIdentity.arn
sourceIPAddress
False Positives
- ·Authorized IAM administrators performing planned privilege grants
- ·CloudFormation stacks deploying infrastructure
- ·Terraform automation runs
Tuning Guidance
Whitelist known automation roles (Terraform, CloudFormation). Alert on human user ARNs specifically. Cross-reference with change management tickets.