AWSCloudTrail - IAM Policy Change Activity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Identifies IAM policy modification events that may indicate unauthorized privilege changes, policy tampering, or persistence attempts in AWS accounts.

Attribute	Value
Type	Hunting Query
Solution	Amazon Web Services
ID	`e0a67cd7-b4e5-4468-aae0-26cb16a1bbd2`
Tactics	PrivilegeEscalation, DefenseEvasion
Techniques	T1078, T1484.001, T1484.002, T1098.003
Required Connectors	AWS, AWSS3
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`AWSCloudTrail`	`EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion,DeleteGroupPolicy,DeletePolicy,DeletePolicyVersion,DeleteRolePolicy,DeleteUserPolicy,DetachGroupPolicy,DetachRolePolicy,PutGroupPolicy,PutUserPolicy"`	✓	✓	✓

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries · Back to Amazon Web Services