Changes made to AWS IAM policy

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

This query looks for when an API call is made to change an IAM, particularly those related to new policies being attached to users and roles, as well as changes to access methods and changes to account level policies.

Attribute	Value
Type	Hunting Query
Solution	Amazon Web Services
ID	`e0a67cd7-b4e5-4468-aae0-26cb16a1bbd2`
Tactics	PrivilegeEscalation, DefenseEvasion
Techniques	T1078, T1484
Required Connectors	AWS, AWSS3
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
`AWSCloudTrail`	`EventName in "AttachGroupPolicy,AttachRolePolicy,AttachUserPolicy,CreatePolicy,CreatePolicyVersion,DeleteGroupPolicy,DeletePolicy,DeletePolicyVersion,DeleteRolePolicy,DeleteUserPolicy,DetachGroupPolicy,DetachRolePolicy,PutGroupPolicy,PutUserPolicy"`	✓	✓	?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries · Back to Amazon Web Services