Skip to content
Threat Feed

Product

AWS Identity and Access Management

19 briefs RSS
low threat

AWS STS AssumeRole with New MFA Device

This rule identifies when a user has assumed a role using a new MFA device in AWS, which can be indicative of persistence and privilege escalation attempts by threat actors.

exploited AWS Security Token Service +1 aws cloudtrail sts assume_role mfa persistence privilege_escalation lateral_movement
2r 4t
medium advisory

AWS STS Role Chaining for Privilege Escalation and Persistence

AWS STS role chaining, where one assumed role is used to assume another, can lead to privilege escalation or persistence by refreshing session tokens, triggering alerts on the first observed role assumption based on CloudTrail logs.

AWS Security Token Service +1 aws sts role-chaining privilege-escalation persistence
2r 3t
medium advisory

AWS CreateLoginProfile Activity Detection

Detects the creation of AWS IAM login profiles, which can be indicative of new user creation or modifications by potentially malicious actors for privilege escalation or persistence.

AWS Identity and Access Management aws cloud iam privilege_escalation persistence
2r 2t
medium advisory

AWS SAML Identity Provider Modification

An adversary may attempt to modify the AWS SAML Identity Provider configuration to potentially escalate privileges or disrupt federated access.

AWS Identity and Access Management aws saml identity-provider privilege-escalation
2r 1t
medium advisory

AWS KMS Key User Performing S3 Encryption

Detection of AWS users employing KMS keys for S3 encryption, potentially indicating suspicious data handling within cloud environments.

AWS Identity and Access Management +2 aws kms s3 cloud encryption
2r 1t
medium advisory

AWS IAM Group Deletion Failure

Detection of a failed attempt to delete an AWS IAM group, which could indicate an attempt to remove audit trails or disrupt security policies.

AWS Identity and Access Management aws iam cloud deletion
2r 1t
medium advisory

AWS IAM User Creates Access Keys For Another User

An adversary with access to compromised AWS credentials may attempt to persist or escalate privileges by creating a new set of access keys for an existing IAM user, potentially leading to unauthorized access to resources and data.

AWS Identity and Access Management cloud aws iam persistence privilege-escalation
2r 2t
high advisory

AWS Virtual MFA Device Registration Attempt

An adversary attempts to register a virtual MFA device to an AWS account, potentially leading to account takeover and unauthorized access to resources.

AWS Identity and Access Management aws persistence mfa account_takeover
2r 1t
high advisory

AWS SAML Identity Provider Update Detection

Detection of unauthorized updates to AWS SAML identity providers using CloudTrail logs, potentially indicating compromised federated credentials and unauthorized access.

AWS Identity and Access Management aws saml identity-federation cloud
2r 1t
medium advisory

AWS User Login Profile Update by Different User

A user updating the login profile of another user in AWS CloudTrail logs may indicate privilege escalation attempts.

AWS Identity and Access Management aws cloudtrail iam privilege-escalation
2r 1t
high advisory

AWS Multi-Factor Authentication Disabled

Detection of AWS Multi-Factor Authentication (MFA) being disabled for an IAM user, indicating potential weakening of account security and persistence attempts.

AWS Identity and Access Management aws cloudtrail mfa iam persistence
2r 3t
medium advisory

AWS Login Profile Creation Activity

Monitoring AWS login profile creation events can help identify potentially malicious user or role creation activities within an AWS environment.

AWS Identity and Access Management aws iam cloud privilege-escalation
2r 2t
high advisory

AWS IAM Policy Version Created Allowing Access to All Resources

An AWS IAM policy version allowing access to all resources has been created, potentially leading to privilege escalation and unauthorized actions.

AWS Identity and Access Management aws iam privilege-escalation cloudtrail
2r 1t
high advisory

AWS IAM Policy Default Version Manipulation

An adversary may set a default policy version in AWS IAM to potentially escalate privileges, especially if previous policy versions granted broader permissions, leading to unauthorized access and data breaches.

AWS Identity and Access Management aws iam privilege-escalation defense-evasion
2r 2t
medium advisory

AWS IAM MFA Device Deactivation

Detection of AWS IAM MFA device deactivation via the `DeactivateMFADevice` API call, which could indicate an attempt to weaken account protections for privilege escalation or persistence.

AWS Identity and Access Management aws iam mfa deactivation cloudtrail
2r 3t
medium advisory

AWS IAM Default Policy Version Modification

An adversary modifies the default version of an AWS IAM policy, potentially downgrading security or disrupting access control.

AWS Identity and Access Management aws iam policy
2r 1t
high advisory

AWS Account Console Login Without MFA

Detection of successful AWS console login events without multi-factor authentication (MFA) enabled, potentially indicating misconfiguration, policy violation, or account compromise.

AWS Identity and Access Management +1 aws cloud iam authentication account-takeover
2r 2t
high advisory

AWS Account Compromise via New MFA Registration

An adversary may register a new Multi-Factor Authentication (MFA) method for an AWS account using the `CreateVirtualMFADevice` event in AWS CloudTrail logs to maintain persistence and evade detection in a compromised AWS account.

AWS +1 cloudtrail mfa persistence
2r 2t
high advisory

Detection of Public AWS S3 Bucket Creation via CLI

An AWS user creates a publicly accessible S3 bucket by using the AWS CLI to set permissive ACLs, potentially leading to unauthorized data access and data breaches.

Amazon S3 +2 aws s3 cloudtrail misconfiguration data-breach
2r 1t