Full Admin policy created and then attached to Roles, Users or Groups

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

'Identity and Access Management (IAM) securely manages access to AWS services and resources. Identifies when a policy is created with Full Administrators Access (Allow-Action:,Resource:). This policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level. AWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html and AWS IAM API at https://docs.aws.amazon.com/IAM/late

Attribute	Value
Type	Analytic Rule
Solution	Amazon Web Services
ID	826bb2f8-7894-4785-9a6b-a8a855d8366f
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	PrivilegeEscalation, DefenseEvasion
Techniques	T1484
Required Connectors	AWS, AWSS3
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSCloudTrail	EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Amazon Web Services