AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Identifies creation of IAM policies that combine AWS Data Pipeline permissions with IAM privileges such as iam:PassRole, followed by attachment activity to users, roles, or groups. This sequence can enable escalation paths and should be reviewed for unauthorized privilege assignment.

Attribute	Value
Type	Analytic Rule
Solution	Amazon Web Services
ID	6009c632-94e9-4ffb-a11a-b4b99f457f88
Severity	High
Status	Available
Kind	Scheduled
Tactics	DefenseEvasion, PrivilegeEscalation, Persistence
Techniques	T1484, T1098.003
Required Connectors	AWS
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSCloudTrail	EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion"	✓	✓	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Amazon Web Services