Rules Contributing to Suspicious AWS IAM Activity Alert

The following rules are used to identify suspicious activity within AWS IAM logs. Any one or more of these will trigger a Suspicious AWS IAM Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS User Login Profile Was Modified

An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.

AWS IAM Backdoor Users Keys

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

AWS IAM User Addition to Group

Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).

AWS IAM Group Creation

Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.

AWS IAM Assume Role Policy Update

Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.

AWS IAM Deactivation of MFA Device

Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.

AWS IAM Group Deletion

Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.

AWS New MFA Method Registered For User

The following analytic identifies the registration of a new Multi Factor authentication method for an AWS account. Adversaries who have obtained unauthorized access to an AWS account may register a new MFA method to maintain persistence.

AWS IAM User Created

A new account has been created in AWS IAM.

Created AWS IAM Credentials

New IAM credentials have been generated.

IAM Policy Modification

The IAM policies associated with a user have been modified.

AWS IAM AccessDenied Discovery Event

The following detection identifies AccessDenied event. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events.

AWS IAM Delete Policy

The following detection identifies when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts.

AWS IAM Failure Group Deletion

This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring.

AWS SetDefaultPolicyVersion

This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy

AWS Create Policy Version to allow all resources

This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account.

AWS CreateLoginProfile

This search looks for AWS CloudTrail events where a user A (victim A) creates a login profile.

AWS CreateAccessKey

This search looks for AWS CloudTrail events where a user creates access keys.