AWS IAM AdministratorAccess Policy Attached to User
An adversary with compromised AWS credentials may attempt to escalate privileges or persist access by attaching the AdministratorAccess AWS managed policy to an existing IAM user via the AttachUserPolicy API, granting full access to all AWS services and resources.
An attacker with access to compromised AWS credentials may attempt to escalate privileges or persist access by attaching the AdministratorAccess AWS managed policy to an existing IAM user. This is achieved through the AttachUserPolicy API operation. The AdministratorAccess policy is a highly permissive AWS-managed policy that grants full access to all AWS services and resources. This activity is significant because it effectively elevates the compromised user to full administrative privileges within the AWS environment, allowing the attacker to perform almost any action. The targeted AWS environment may be running various services and applications, making the impact broad and potentially severe. Defenders need to monitor for this behavior because it bypasses normal permission controls and can be used for malicious purposes, such as data exfiltration, resource hijacking, or further lateral movement.
Attack Chain
- Initial Access: The attacker gains access to AWS credentials through phishing, credential stuffing, or other means.
- Credential Validation: The attacker validates the compromised credentials by attempting to access AWS resources.
- Reconnaissance: The attacker enumerates existing IAM users to identify a target for privilege escalation.
- Privilege Escalation: The attacker uses the
AttachUserPolicyAPI operation to attach theAdministratorAccesspolicy to the target IAM user. - Elevated Access: The attacker leverages the elevated privileges to access sensitive data, modify configurations, or create new resources.
- Persistence: The attacker creates new access keys or modifies IAM roles to maintain persistent access to the AWS environment.
- Lateral Movement: The attacker uses the elevated privileges to access other AWS accounts or resources.
- Impact: The attacker exfiltrates sensitive data, disrupts services, or causes financial damage.
Impact
Successful exploitation allows an attacker to gain complete control over an AWS environment. This can lead to data breaches, service disruption, financial losses, and reputational damage. The number of potential victims is dependent on the scope of the AWS environment and the data it contains. The targeted sectors are broad, as AWS is used across various industries, including finance, healthcare, and government. If the attack succeeds, the attacker can perform any action within the AWS environment, including deleting resources, modifying configurations, and accessing sensitive data.
Recommendation
- Deploy the first Sigma rule to detect the attachment of the
AdministratorAccesspolicy via theAttachUserPolicyAPI in CloudTrail logs. - Deploy the second Sigma rule to detect the creation of new access keys by users who have recently had the
AdministratorAccesspolicy attached (log source:aws.cloudtrail, event.action:CreateAccessKey). - Implement IAM service control policies (SCPs) to prevent attachment of
AdministratorAccessexcept for trusted roles (reference: AWS Documentation). - Monitor CloudTrail logs for
AttachUserPolicyevents and investigate any unexpected attachments of theAdministratorAccesspolicy (log source:aws.cloudtrail).
Detection coverage 2
AWS IAM AdministratorAccess Policy Attached to User
mediumDetects when the AdministratorAccess policy is attached to an IAM user, potentially indicating privilege escalation or persistence attempts.
AWS IAM User Creating Access Key After Admin Policy Attachment
highDetects the creation of an access key by a user shortly after the AdministratorAccess policy was attached, indicating possible misuse.
Detection queries are available on the platform. Get full rules →