AWS IAM Inline Policy Added to a Group
Adversaries can escalate privileges and establish persistence within AWS by leveraging the `PutGroupPolicy` API call to attach an inline policy to an IAM group, granting broad permissions to all group members, including themselves.
This threat brief focuses on the malicious use of the PutGroupPolicy API in Amazon Web Services (AWS) Identity and Access Management (IAM). Adversaries who gain initial access to an AWS environment may exploit this functionality to escalate their privileges or establish persistence. By embedding an inline permissions policy directly onto an IAM group, attackers can grant elevated permissions to every current and future member of that group. This method is particularly effective for broad privilege grants, as it applies to all group members. The creation of inline policies on groups is a relatively uncommon administrative practice compared to attaching managed policies, making its occurrence by an unexpected principal a strong indicator of malicious activity and a valuable detection signal. This technique can be used to secure or expand access within a compromised AWS account, making it critical for defenders to monitor.
Attack Chain
- Initial Access: An attacker obtains valid AWS credentials through various means (e.g., compromised access keys, stolen session tokens, vulnerable web application exploitation leading to metadata endpoint access).
- Privilege Enumeration: The attacker identifies IAM users, roles, or groups that they have permissions to modify, specifically looking for principals with
iam:PutGroupPolicypermissions. - Target Group Identification: The attacker identifies an existing IAM group, or creates a new one, to which they or their controlled identities belong, or can be added.
- Malicious Policy Crafting: The attacker constructs an IAM inline policy document containing broad or specific elevated permissions (e.g.,
s3:*,ec2:*,iam:*actions onResource: "*") designed for privilege escalation or persistence. - Policy Attachment: The attacker invokes the
PutGroupPolicyAPI call, associating the crafted malicious policy with the target IAM group. - Privilege Escalation/Persistence Achieved: Upon successful attachment, all members of the target IAM group, including the attacker's compromised identity, immediately inherit the permissions defined in the malicious inline policy.
- Post-Exploitation Activity: The attacker utilizes these newly acquired elevated permissions to achieve their ultimate objective, such as data exfiltration, resource manipulation, service disruption, or further lateral movement within the AWS environment.
Impact
The successful exploitation of this technique can lead to severe consequences, including widespread privilege escalation and persistence across an AWS account. Since an inline policy attached to a group grants its permissions to all current and future group members, an attacker can quickly provide themselves or other compromised accounts with elevated access to critical AWS resources. This can result in unauthorized access to sensitive data (e.g., S3 buckets, databases), control over computing resources (e.g., EC2 instances, Lambda functions), and the ability to modify security configurations, potentially leading to significant financial loss, data breaches, and operational disruption. The subtle nature of inline policies compared to well-known managed policies can make detection and remediation more challenging.
Recommendation
- Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect unauthorized
PutGroupPolicyactions. - Restrict
iam:PutGroupPolicypermissions to a minimal set of trusted administrative roles or automation systems. - Regularly review all
PutGroupPolicyactivity in your AWS CloudTrail logs to identify suspicious inline policy attachments. - Inspect the
aws.cloudtrail.request_parameters.policyDocumentfield within detected events for broad permissions (Action: "*",Resource: "*") or specific sensitive actions. - Rotate credentials for any principal (
aws.cloudtrail.user_identity.arn) suspected of unauthorizedPutGroupPolicyactivity.
Detection coverage 1
AWS IAM Inline Policy Added to a Group
mediumDetects the addition of an inline policy to an IAM group via PutGroupPolicy, a common technique for privilege escalation or persistence in AWS environments. This rule filters out common automation tools.
Detection queries are available on the platform. Get full rules →