Skip to content
Threat Feed
low advisory

AWS IAM Assume Role Policy Update

An attacker modifies an AWS IAM role's trust policy to gain the privileges of the role, potentially leading to privilege escalation and persistence within the AWS environment.

The AWS IAM Assume Role Policy Update involves an attacker modifying the trust policy of an IAM role. The trust policy, a JSON document, dictates which principals can assume the role. By altering this policy, a malicious actor can grant themselves or other unauthorized entities the ability to assume the role and inherit its associated privileges. This allows for privilege escalation, persistence, and lateral movement within the AWS environment. This activity is detected via CloudTrail logs monitoring UpdateAssumeRolePolicy events. Successfully modifying the trust policy could have a wide-ranging impact depending on the permissions associated with the targeted role. This activity is often observed as part of broader attempts to establish persistence or elevate privileges within a compromised AWS environment. The Elastic detection rule was last updated on 2026/04/10.

Attack Chain

  1. Initial Access: The attacker gains initial access to an AWS account, possibly through compromised credentials or an exploited vulnerability.
  2. Discovery: The attacker enumerates existing IAM roles and their associated trust policies to identify potential targets for privilege escalation.
  3. Policy Modification: The attacker uses the UpdateAssumeRolePolicy API call to modify the trust policy of a chosen IAM role. The attacker adds a malicious principal (e.g., a compromised user or role) to the policy.
  4. Privilege Escalation: The attacker assumes the targeted IAM role, gaining the permissions associated with that role.
  5. Lateral Movement: The attacker leverages the newly acquired permissions to access other AWS resources or services.
  6. Persistence: The attacker modifies other IAM roles or resources using the compromised role, ensuring continued access even if the initial access vector is closed.
  7. Data Exfiltration or Damage: The attacker uses the escalated privileges to exfiltrate sensitive data or cause damage to AWS resources.

Impact

A successful IAM role trust policy update can grant an attacker significant control over the AWS environment. The scope of the impact depends on the privileges associated with the compromised role. This could lead to data breaches, service disruptions, or unauthorized access to critical systems. While the rule is classified as "low" severity, the consequences of successful exploitation can be severe, potentially affecting all aspects of the cloud infrastructure and data stored within. There is no mention of the number of victims or impacted sectors in the provided source material.

Recommendation

  • Deploy the Sigma rule provided below to detect suspicious UpdateAssumeRolePolicy events in AWS CloudTrail logs.
  • Review aws.cloudtrail.request_parameters in CloudTrail logs when the Sigma rule triggers to examine the modifications made to the trust policy.
  • Investigate the IAM user or assumed role (aws.cloudtrail.user_identity.arn) that initiated the UpdateAssumeRolePolicy event for any anomalous activity.
  • Monitor CloudTrail logs for events associated with the compromised IAM role (entity.target.id) following the trust policy update.
  • Implement the AWS security best practices outlined in the provided reference to minimize the attack surface and potential impact.

Detection coverage 2

AWS IAM Assume Role Policy Updated

low

Detects when an IAM role's assume role policy is updated, potentially indicating privilege escalation.

sigma tactics: persistence, privilege_escalation techniques: T1078, T1078.004, T1098, T1098.003 sources: cloudtrail, aws, cloudtrail

AWS IAM Role Trust Policy Modified by Unusual User Agent

medium

Detects modifications to the IAM Role trust policy by unusual User Agents

sigma tactics: persistence, privilege_escalation techniques: T1078, T1078.004, T1098, T1098.003 sources: cloudtrail, aws, cloudtrail

Detection queries are available on the platform. Get full rules →