AWSCloudTrail - Privilege escalation via CRUD KMS policy

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Detects inline IAM policy updates that grant broad KMS create, read, update, enable/disable, and delete permissions. This pattern can support key management abuse and indicates possible privilege escalation through expanded cloud role capabilities.

Attribute	Value
Type	Analytic Rule
Solution	Amazon Web Services
ID	d7c39e15-997f-49e5-a782-73bf07db8aa5
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	PrivilegeEscalation
Techniques	T1098.003
Required Connectors	AWS
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSCloudTrail	EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy"	✓	✓	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Amazon Web Services