AWSCloudTrail - Privilege escalation via CRUD S3 policy

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Detects inline IAM policy updates that grant broad Amazon S3 create, read, update, and delete permissions. This type of policy expansion can be used to gain higher-impact access to cloud data and facilitate privilege escalation objectives.

Attribute	Value
Type	Analytic Rule
Solution	Amazon Web Services
ID	fc3061bb-319c-4fe9-abe2-f59899a6d907
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	PrivilegeEscalation
Techniques	T1098.003
Required Connectors	AWS
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSCloudTrail	EventName in "PutGroupPolicy,PutRolePolicy,PutUserPolicy"	✓	✓	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Amazon Web Services