{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/aws-iam/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","AWS Lambda"],"_cs_severities":["high"],"_cs_tags":["aws","iam","lambda","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis threat focuses on the abuse of AWS Lambda execution roles to perform sensitive IAM operations. Lambda functions, often running with over-permissioned roles, can be exploited by adversaries to escalate privileges and establish persistence within an AWS environment. An attacker gaining control of a Lambda function can leverage its execution role to make IAM API calls that would normally require elevated permissions. This includes creating new IAM users or roles, attaching policies to existing IAM entities, and modifying EC2 instance profiles. The scope of this threat includes any AWS environment utilizing Lambda functions with IAM permissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Lambda function, either through code injection, vulnerable dependencies, or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Lambda function\u0026rsquo;s execution role, which has excessive IAM permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker executes IAM API calls, such as \u003ccode\u003eCreateUser\u003c/code\u003e, \u003ccode\u003eCreateRole\u003c/code\u003e, or \u003ccode\u003eCreateAccessKey\u003c/code\u003e, to create new IAM identities.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eAttachUserPolicy\u003c/code\u003e, \u003ccode\u003ePutUserPolicy\u003c/code\u003e, \u003ccode\u003eAttachRolePolicy\u003c/code\u003e, or \u003ccode\u003ePutRolePolicy\u003c/code\u003e to grant elevated permissions to the newly created or existing IAM identities.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies instance profiles using \u003ccode\u003eCreateInstanceProfile\u003c/code\u003e and \u003ccode\u003eAddRoleToInstanceProfile\u003c/code\u003e to prepare EC2 instances for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created or modified IAM identities to assume roles and access resources they were not previously authorized to access via \u003ccode\u003ests:AssumeRole\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation, gaining control over sensitive AWS resources and services.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating rogue IAM users, roles, or access keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to full compromise of the AWS environment. An attacker could create highly privileged IAM users and roles, granting them the ability to access and control all AWS resources. This can result in data breaches, service disruptions, and financial losses. The impact is magnified in environments where Lambda functions are heavily relied upon for critical business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS IAM Sensitive Operations via Lambda Execution Role\u0026rdquo; to your SIEM and tune for your environment to detect the described IAM API calls originating from Lambda execution roles.\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions granted to Lambda execution roles, following the principle of least privilege, to minimize the potential impact of a compromised function.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e to identify the Lambda function and associated deployment path responsible for the IAM API calls.\u003c/li\u003e\n\u003cli\u003eInvestigate \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e for targets such as \u003ccode\u003euserName\u003c/code\u003e, \u003ccode\u003egroupName\u003c/code\u003e, \u003ccode\u003eroleName\u003c/code\u003e, \u003ccode\u003epolicyArn\u003c/code\u003e, or \u003ccode\u003einstanceProfileName\u003c/code\u003e to understand the scope of the IAM operations.\u003c/li\u003e\n\u003cli\u003eRevoke or rotate the credentials of any compromised Lambda execution roles to prevent further unauthorized access.\u003c/li\u003e\n\u003cli\u003eRemediate any rogue IAM users, roles, or access keys created by the attacker to eliminate persistence mechanisms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T20:57:28Z","date_published":"2026-05-01T20:57:28Z","id":"/briefs/2024-01-09-aws-lambda-iam-privilege-escalation/","summary":"Detection of IAM API calls that create or empower IAM users and roles, attach policies, or configure instance profiles when the caller is an assumed role session associated with AWS Lambda, potentially indicating privilege escalation or persistence.","title":"AWS IAM Privilege Operations via Lambda Execution Role","url":"https://feed.craftedsignal.io/briefs/2024-01-09-aws-lambda-iam-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","GitHub Actions"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","github","credential-theft","initial-access","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon","Microsoft","Google"],"content_html":"\u003cp\u003eThis threat involves the unauthorized use of AWS credentials stolen from GitHub Actions secrets. Attackers exfiltrate these credentials and use them from their own infrastructure, bypassing the intended CI/CD environment. The activity is detected by observing AWS access keys appearing in CloudTrail logs originating from both legitimate GitHub Actions runners (identified by Microsoft ASN or the \u003ccode\u003egithub-actions\u003c/code\u003e user agent string) and suspicious infrastructure outside the expected CI/CD provider ASNs (Amazon, Google, Microsoft). This indicates a breach of GitHub repository or organization secrets, leading to potential unauthorized access and control over AWS resources. This activity can begin with compromised Github accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository or organization with AWS credentials stored as secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the AWS access key ID and secret access key, either manually or through automated means, such as modifying a GitHub Action workflow to expose the secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the stolen AWS credentials on their own infrastructure, using tools like the AWS CLI or boto3.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to AWS using the stolen credentials. This generates CloudTrail logs with the attacker\u0026rsquo;s source IP address and ASN.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eDescribeInstances\u003c/code\u003e, or \u003ccode\u003eListUsers\u003c/code\u003e, to understand the AWS environment and identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally within the AWS environment by exploiting the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker may create, modify, or delete AWS resources, such as EC2 instances, S3 buckets, or IAM roles, depending on the permissions associated with the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to unauthorized access to AWS resources, potentially resulting in data breaches, service disruptions, or financial losses. The impact depends on the permissions associated with the stolen AWS credentials. A single compromised credential could expose sensitive data, disrupt critical services, or allow attackers to deploy malicious infrastructure within the victim\u0026rsquo;s AWS environment. Identifying and responding to this threat quickly is vital to minimize damages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure\u0026rdquo; to your SIEM and tune for your environment to detect suspicious usage patterns.\u003c/li\u003e\n\u003cli\u003eRotate the compromised AWS access key in IAM immediately and update the corresponding GitHub repository/organization secret as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement OIDC-based authentication (\u003ccode\u003eaws-actions/configure-aws-credentials\u003c/code\u003e with \u003ccode\u003erole-to-assume\u003c/code\u003e) instead of long-lived access keys as mentioned in the rule documentation.\u003c/li\u003e\n\u003cli\u003eIf using OIDC, add IP condition policies to the IAM role trust policy to restrict \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e to known GitHub runner IP ranges, based on the information in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:45:55Z","date_published":"2026-04-22T17:45:55Z","id":"/briefs/2024-01-aws-github-actions-credential-theft/","summary":"Attackers are stealing AWS credentials configured as GitHub Actions secrets and using them from non-CI/CD infrastructure, indicating potential credential theft and unauthorized access to AWS resources.","title":"AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-github-actions-credential-theft/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","AWS S3"],"_cs_severities":["high"],"_cs_tags":["aws","iam","s3browser","s3","policy","cloudtrail"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe S3Browser utility is being used to create Inline IAM policies within AWS. This activity is flagged as suspicious when the policy includes the default S3 bucket name placeholder value of \u003ccode\u003e\u0026lt;YOUR-BUCKET-NAME\u0026gt;\u003c/code\u003e. This could indicate that the user has not properly configured the policy or is unaware of the implications of using a generic placeholder, potentially granting unintended access to S3 resources. This behavior was observed being used by the threat actor Guivil. The use of S3Browser in this manner poses a risk of privilege escalation, persistence, and unauthorized access to sensitive data stored in S3 buckets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, possibly through compromised credentials or misconfigured IAM roles (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the S3Browser utility to interact with AWS S3 buckets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create an Inline IAM policy using S3Browser.\u003c/li\u003e\n\u003cli\u003eThe attacker fails to replace the default bucket name placeholder \u003ccode\u003e\u0026lt;YOUR-BUCKET-NAME\u0026gt;\u003c/code\u003e with a specific bucket ARN.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the IAM policy with the default bucket name placeholder, leading to a broad or unintended scope of permissions.\u003c/li\u003e\n\u003cli\u003eThe poorly configured policy is applied to a user, role, or group.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially escalates privileges or gains unauthorized access to S3 resources.\u003c/li\u003e\n\u003cli\u003eThe attacker persists in the environment with the newly created or modified IAM policy.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCreation of an IAM policy with the default bucket name placeholder leaves S3 buckets open to potential unauthorized access. A successful attack could lead to data exfiltration, data modification, or denial of service. The scope of the impact depends on the specific permissions granted within the policy and the resources accessible through the affected IAM user, role, or group.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS IAM S3Browser Templated S3 Bucket Policy Creation\u0026rdquo; to your SIEM and tune for your environment to detect this specific activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ePutUserPolicy\u003c/code\u003e events are associated with the S3Browser user agent (logsource: aws/cloudtrail).\u003c/li\u003e\n\u003cli\u003eReview existing IAM policies for the presence of the default bucket name placeholder \u003ccode\u003earn:aws:s3:::\u0026lt;YOUR-BUCKET-NAME\u0026gt;/*\u003c/code\u003e (logsource: aws/cloudtrail).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-s3browser-iam-policy/","summary":"An AWS IAM policy is created by the S3Browser utility with the default S3 bucket name placeholder, potentially indicating unauthorized access or misconfiguration.","title":"S3Browser IAM Policy Creation with Default Bucket Name","url":"https://feed.craftedsignal.io/briefs/2024-01-26-s3browser-iam-policy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","AWS STS"],"_cs_severities":["medium"],"_cs_tags":["aws","saml","cloudtrail","initial-access","lateral-movement","persistence","privilege-escalation","stealth"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious Security Assertion Markup Language (SAML) activity within Amazon Web Services (AWS). The activity includes monitoring for \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e and \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events. An adversary might exploit SAML to gain unauthorized access, escalate privileges, move laterally within the AWS environment, or establish persistent backdoor access. The focus is on detecting unusual or unauthorized modifications to SAML configurations and role assumptions, which could indicate a compromised identity provider or malicious actor leveraging SAML for illicit purposes. Defenders should prioritize monitoring SAML-related API calls to identify and mitigate potential threats early in the attack chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises or creates a malicious SAML identity provider.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the AWS environment to trust the malicious SAML provider using \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a SAML assertion to assume a specific role within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e API call to authenticate with AWS using the crafted SAML assertion.\u003c/li\u003e\n\u003cli\u003eAWS STS validates the SAML assertion and, if valid, provides temporary credentials for the assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the temporary credentials to perform actions within AWS, potentially escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the AWS environment, accessing resources and services authorized for the assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating backdoors or modifying existing IAM policies, leveraging the initially gained access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via SAML manipulation can lead to a complete compromise of the AWS environment. Attackers can gain unauthorized access to sensitive data, disrupt critical services, and deploy malicious infrastructure. The impact includes potential data breaches, financial losses, and reputational damage. The number of affected resources depends on the permissions associated with the roles assumed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e events to detect suspicious role assumptions (see \u0026ldquo;AssumeRoleWithSAML Detection Rule\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events to detect unauthorized SAML provider modifications (see \u0026ldquo;UpdateSAMLProvider Detection Rule\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eAssumeRoleWithSAML\u003c/code\u003e events originating from unfamiliar user agents or IP addresses by reviewing CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eUpdateSAMLProvider\u003c/code\u003e events for unexpected changes to SAML provider configurations. Review associated CloudTrail logs for user identity, user agent, and hostname to ensure authorized access.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules for your environment, addressing false positives by exempting known, legitimate behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:30Z","date_published":"2024-01-03T18:22:30Z","id":"/briefs/2024-01-03-aws-suspicious-saml/","summary":"This rule identifies suspicious SAML activity in AWS, such as AssumeRoleWithSAML and UpdateSAMLProvider events, which could indicate an attacker gaining backdoor access, escalating privileges, or establishing persistence.","title":"Suspicious AWS SAML Activity Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-suspicious-saml/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","iam","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe S3 Browser utility, a Windows-based client for managing Amazon S3 storage and other cloud services, can be abused by threat actors to create new IAM users or access keys within compromised AWS environments. This activity, if unauthorized, can lead to privilege escalation, persistence, or even initial access, depending on the context of the compromise. The use of S3 Browser is identifiable via the userAgent string in AWS CloudTrail logs. While legitimate use of S3 Browser for administrative tasks exists, its unexpected appearance in user activity, particularly in sensitive accounts, should be investigated. This activity is particularly concerning because it can allow attackers to establish a foothold in the cloud environment and move laterally.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS environment, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker installs and configures S3 Browser on a compromised host or uses an existing installation.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates S3 Browser to the AWS environment using existing compromised credentials or an assumed role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses S3 Browser to execute the \u003ccode\u003eCreateUser\u003c/code\u003e API call within AWS IAM.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the new IAM user with elevated privileges, potentially granting administrator access.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses S3 Browser to execute the \u003ccode\u003eCreateAccessKey\u003c/code\u003e API call for an existing IAM user.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created access key to perform actions within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the new user or access key for persistence, lateral movement, and data exfiltration within the AWS environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and IAM creation can lead to complete compromise of the AWS environment. An attacker with escalated privileges can access sensitive data, modify configurations, disrupt services, and deploy malicious infrastructure. Depending on the permissions granted to the created user or access key, the attacker could potentially pivot to other AWS accounts or services, leading to widespread damage. This can result in significant financial losses, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS IAM S3Browser User or AccessKey Creation\u0026rdquo; to your SIEM and tune for your environment to detect anomalous IAM activity originating from S3 Browser.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eCreateUser\u003c/code\u003e or \u003ccode\u003eCreateAccessKey\u003c/code\u003e events in AWS CloudTrail logs where the \u003ccode\u003euserAgent\u003c/code\u003e contains \u0026ldquo;S3 Browser\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eReview and enforce the principle of least privilege for all IAM users and roles to limit the impact of compromised credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-03-s3browser-iam/","summary":"The use of S3 Browser to create IAM users or access keys in AWS environments indicates a potential privilege escalation, persistence, or initial access attempt by threat actors leveraging a known cloud administration tool.","title":"AWS IAM User or Access Key Creation via S3 Browser","url":"https://feed.craftedsignal.io/briefs/2024-01-03-s3browser-iam/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM"],"_cs_severities":["high"],"_cs_tags":["aws","cloud","iam","s3browser","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Amazon"],"content_html":"\u003cp\u003eThe threat involves the use of the S3 Browser utility, a Windows application, to interact with Amazon Web Services (AWS) Identity and Access Management (IAM). Attackers are leveraging S3 Browser to perform reconnaissance, specifically targeting IAM users that do not have a login profile configured. Upon identifying such users, the attacker proceeds to create a login profile for them. This tactic may be indicative of an attempt to gain unauthorized access or maintain persistence within the AWS environment. The activity is detectable via AWS CloudTrail logs and was first publicly reported in May 2023 in connection with the threat actor GUIVIL.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system with AWS CLI tools installed or uses a compromised IAM user with sufficient permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker configures S3 Browser with valid AWS credentials, enabling interaction with the AWS environment.\u003c/li\u003e\n\u003cli\u003eS3 Browser initiates a \u003ccode\u003eGetLoginProfile\u003c/code\u003e API call in AWS CloudTrail, to enumerate IAM users and identify those without existing login profiles.\u003c/li\u003e\n\u003cli\u003eS3 Browser, upon finding an IAM user without a login profile, initiates a \u003ccode\u003eCreateLoginProfile\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe attacker sets a password for the newly created login profile, gaining console access to the targeted IAM user account.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the AWS console using the newly created credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the IAM user\u0026rsquo;s permissions to perform further reconnaissance, lateral movement, or data exfiltration within the AWS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by maintaining access through the created login profile, even if other access methods are revoked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain unauthorized console access to previously unprotected IAM user accounts. This can lead to privilege escalation, data breaches, and disruption of cloud services. The lack of multi-factor authentication on newly created login profiles increases the risk of account compromise. The impact can range from reconnaissance to full-scale control of the AWS environment, depending on the permissions associated with the compromised IAM users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect \u003ccode\u003eGetLoginProfile\u003c/code\u003e and \u003ccode\u003eCreateLoginProfile\u003c/code\u003e events originating from the S3 Browser user agent in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of IAM LoginProfile creation originating from unusual user agents or IP addresses.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all IAM users, including those with console access to mitigate the impact of compromised credentials.\u003c/li\u003e\n\u003cli\u003eReview IAM policies to ensure least privilege and restrict the ability to create or modify LoginProfiles to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-s3browser-iam-loginprofile/","summary":"The S3 Browser utility is being used to enumerate IAM users lacking login profiles and subsequently create them, potentially for reconnaissance, persistence, and privilege escalation within AWS environments.","title":"S3 Browser Used to Create IAM Login Profiles","url":"https://feed.craftedsignal.io/briefs/2024-01-02-s3browser-iam-loginprofile/"}],"language":"en","title":"CraftedSignal Threat Feed — AWS IAM","version":"https://jsonfeed.org/version/1.1"}