AWS IAM User Added to Group with Elevated Privileges
An AWS IAM user was added to an IAM group which could lead to credential misuse, lateral movement, or privilege escalation if the group has elevated or admin privileges.
The AWS Identity and Access Management (IAM) service controls access to AWS resources. Attackers can escalate privileges by adding a user to a group that has excessive permissions. This allows an attacker to quickly gain permissions for actions like credential misuse, lateral movement, or privilege escalation. This rule detects the addition of a user to a specified group in AWS IAM by monitoring the AddUserToGroup API call. This activity is often part of a larger attack chain involving initial access, privilege escalation, and persistence within the AWS environment. Defenders should monitor IAM group membership changes, especially when the target group carries elevated or admin privileges. The associated Elastic rule was last updated on 2026/04/10, but this brief analyzes the underlying technique.
Attack Chain
- An attacker gains initial access to an AWS account, potentially through compromised credentials or a misconfigured service.
- The attacker enumerates existing IAM users and groups to identify potential targets for privilege escalation.
- The attacker identifies a target IAM group with elevated permissions (e.g.,
AdministratorAccessor custom policies with broad permissions). - The attacker uses the
AddUserToGroupAPI call to add a chosen IAM user to the identified privileged group. This is the event detected by this brief. - The added IAM user now inherits the permissions associated with the group.
- The attacker leverages the newly acquired permissions to perform actions such as creating access keys, modifying security policies, or accessing sensitive data stored in S3 buckets or EC2 instances.
- The attacker establishes persistence by creating new IAM users with admin privileges or by modifying existing roles and policies.
- The attacker maintains access to the environment and exfiltrates data or causes disruption.
Impact
If an attacker successfully adds a user to a privileged IAM group, they can gain control over AWS resources, potentially leading to data breaches, service disruptions, and financial losses. The addition of a user to a group with AdministratorAccess can grant the attacker full control over the AWS account, allowing them to modify any resource or access any data. Depending on the scope and sensitivity of the data, this could impact hundreds or thousands of users and customers.
Recommendation
- Deploy the Sigma rule provided below to detect the
AddUserToGroupAPI call in your AWS CloudTrail logs and tune it for your environment. - Investigate any detected instances of
AddUserToGroupto determine if the user was added legitimately and if the target group has appropriate permissions. - Review the privileges of existing IAM groups to ensure that they follow the principle of least privilege.
- Implement multi-factor authentication (MFA) for all IAM users to prevent credential compromise and unauthorized access.
- Monitor the
CreateGroupandAttachGroupPolicyevents as referenced in the overview, as these can precede theAddUserToGroupevent. - Restrict the
iam:AddUserToGrouppermission to specific service principals with approval workflows as outlined in the overview.
Detection coverage 2
AWS IAM User Added to Group
lowDetects when an IAM user is added to a group in AWS IAM.
AWS IAM Group Modified After Creation
mediumDetects a pattern where a group is created and then modified shortly after, potentially by an attacker preparing for user additions.
Detection queries are available on the platform. Get full rules →