{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/identity-and-access-management/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Identity and Access Management (IAM)","Amazon EC2","AWS CloudTrail"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","persistence","identity-and-access-management","ec2","privilege-escalation","iam"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis threat involves adversaries who have successfully compromised an AWS EC2 instance and are using its attached IAM role to establish persistence within the victim's AWS environment. By leveraging the temporary credentials of an assumed role on the EC2 instance, attackers can invoke the \u003ccode\u003eiam:CreateUser\u003c/code\u003e API to provision new, unauthorized IAM users. This technique allows them to maintain access and control even if the initial EC2 instance compromise is detected and remediated. The activity is detectable via AWS CloudTrail logs, specifically by observing \u003ccode\u003eCreateUser\u003c/code\u003e events where the initiating identity is an \u003ccode\u003eAssumedRole\u003c/code\u003e originating from an EC2 instance. This behavior is a critical indicator of post-compromise activity and can lead to broader unauthorized access, privilege escalation, and data exfiltration if not promptly addressed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to an AWS environment, often by exploiting a vulnerability in an application running on an EC2 instance, or through compromised credentials that allow access to an instance.\u003c/li\u003e\n\u003cli\u003eUpon compromising the EC2 instance, the adversary extracts or utilizes the temporary security credentials associated with an IAM role attached to that instance.\u003c/li\u003e\n\u003cli\u003eThe adversary uses these temporary credentials to assume the EC2 instance's IAM role, thereby gaining the permissions assigned to that role within the AWS account.\u003c/li\u003e\n\u003cli\u003eLeveraging the assumed role's permissions, the adversary executes the \u003ccode\u003eiam:CreateUser\u003c/code\u003e API call to provision a new, unauthorized IAM user account within the AWS environment.\u003c/li\u003e\n\u003cli\u003eTo enable direct programmatic access for the newly created IAM user, the adversary generates an access key and secret access key for this user using the \u003ccode\u003eiam:CreateAccessKey\u003c/code\u003e API.\u003c/li\u003e\n\u003cli\u003eThe adversary then attaches specific IAM policies to the newly created user via \u003ccode\u003eiam:AttachUserPolicy\u003c/code\u003e or \u003ccode\u003eiam:PutUserPolicy\u003c/code\u003e APIs, granting the desired level of persistent access and privileges to various AWS resources.\u003c/li\u003e\n\u003cli\u003eWith the new IAM user and its associated permissions, the adversary establishes persistent access to the AWS account, enabling continued operations even if the original EC2 instance compromise is mitigated or the temporary role credentials expire.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this technique grants adversaries persistent, unauthorized access to an AWS account, circumventing initial access vectors. This can lead to significant data breaches, resource manipulation, and further privilege escalation, ultimately impacting the confidentiality, integrity, and availability of an organization's cloud resources. The creation of new IAM users provides a stealthy foothold that is difficult to remove without thorough investigation. If unchecked, the adversary could launch further attacks, disrupt services, exfiltrate sensitive data, or deploy malicious infrastructure, potentially incurring substantial financial, reputational, and operational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect \u003ccode\u003eCreateUser\u003c/code\u003e actions originating from EC2 instance assumed roles.\u003c/li\u003e\n\u003cli\u003eRegularly review \u003ccode\u003eaws.cloudtrail\u003c/code\u003e logs for \u003ccode\u003eCreateUser\u003c/code\u003e events, particularly examining the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e fields to identify any unauthorized IAM user creations.\u003c/li\u003e\n\u003cli\u003eRestrict IAM role permissions on EC2 instances to only the minimum necessary (\u003ccode\u003eleast privilege\u003c/code\u003e) to prevent assumed roles from having \u003ccode\u003eiam:CreateUser\u003c/code\u003e or similar high-privilege actions.\u003c/li\u003e\n\u003cli\u003eImplement proactive monitoring and alerts for \u003ccode\u003eCreateAccessKey\u003c/code\u003e and \u003ccode\u003eAttachUserPolicy\u003c/code\u003e actions, especially when performed by newly created users or from unusual sources, as these often follow user creation.\u003c/li\u003e\n\u003cli\u003eRefer to the AWS IAM documentation and best practices for securing roles and permissions to limit the scope of potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T14:26:40Z","date_published":"2026-07-15T14:16:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-iam-create-user-ec2-persistence/","summary":"Adversaries leverage a compromised AWS EC2 instance's assumed IAM role to create new, unauthorized IAM users, establishing persistence within the AWS environment by granting themselves persistent access even after the initial compromise is remediated.","title":"AWS IAM User Creation via Compromised EC2 Assumed Role","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-iam-create-user-ec2-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed - Identity-and-Access-Management","version":"https://jsonfeed.org/version/1.1"}