AWS IAM Access Denied Discovery Events
This detection identifies potential reconnaissance activity by an attacker attempting to discover AWS IAM permissions and configurations by generating a high volume of access denied events.
This detection focuses on identifying potential reconnaissance efforts within an AWS environment. An attacker might attempt to enumerate AWS IAM configurations, roles, and permissions to identify potential targets for privilege escalation or lateral movement. This activity generates a large number of "access denied" events in AWS CloudTrail logs, indicating that the attacker is probing the environment to understand what actions are permitted and what resources are accessible. Successful detection of this activity can help defenders identify and stop attackers before they gain a foothold in the AWS environment. The activity is detected through analysis of AWS CloudTrail logs.
Attack Chain
- Attacker gains initial access to an AWS environment through compromised credentials or an exposed API key.
- The attacker attempts to list all IAM users within the AWS account using the
iam:ListUsersAPI call. This generates an "access denied" event if the attacker does not have the necessary permissions. - The attacker attempts to enumerate all IAM roles within the AWS account using the
iam:ListRolesAPI call. This also results in "access denied" events if permissions are lacking. - The attacker tries to read the policies attached to specific IAM users by calling
iam:GetUserPolicyfor various user names. This probes for directly attached user policies. - The attacker attempts to determine which roles a user can assume using the
sts:AssumeRoleAPI call with different role ARNs, again creating access denied events for unauthorized attempts. - The attacker probes for service-linked roles using
iam:GetServiceLinkedRoleDeletionStatuson multiple service names. - The attacker aggregates the "access denied" responses to build a map of accessible vs. inaccessible resources and actions within the AWS environment.
- The attacker uses the discovered information to refine their attack strategy, focusing on exploiting accessible resources or attempting privilege escalation.
Impact
Successful discovery of AWS IAM configurations allows an attacker to map out the permissions landscape of the AWS environment. This enables them to identify potential privilege escalation paths, discover vulnerable resources, and ultimately compromise critical systems or data. Undetected IAM discovery can lead to data breaches, service disruptions, and significant financial losses. The scope of the impact depends on the level of access the attacker eventually gains and the criticality of the compromised resources.
Detection coverage 2
Detect High Volume of AWS IAM Access Denied Events
mediumDetects a high volume of AWS IAM Access Denied events, indicating potential reconnaissance activity.
Detect AWS IAM Access Denied Events from Uncommon User Agent
highDetects AWS IAM Access Denied events originating from uncommon User Agents, possibly indicating attacker tools.
Detection queries are available on the platform. Get full rules →