<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Identity-and-Access-Management - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/identity-and-access-management/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 14:16:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/identity-and-access-management/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS IAM User Creation via Compromised EC2 Assumed Role</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-iam-create-user-ec2-persistence/</link><pubDate>Wed, 15 Jul 2026 14:16:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-iam-create-user-ec2-persistence/</guid><description>Adversaries leverage a compromised AWS EC2 instance's assumed IAM role to create new, unauthorized IAM users, establishing persistence within the AWS environment by granting themselves persistent access even after the initial compromise is remediated.</description><content:encoded><![CDATA[<p>This threat involves adversaries who have successfully compromised an AWS EC2 instance and are using its attached IAM role to establish persistence within the victim's AWS environment. By leveraging the temporary credentials of an assumed role on the EC2 instance, attackers can invoke the <code>iam:CreateUser</code> API to provision new, unauthorized IAM users. This technique allows them to maintain access and control even if the initial EC2 instance compromise is detected and remediated. The activity is detectable via AWS CloudTrail logs, specifically by observing <code>CreateUser</code> events where the initiating identity is an <code>AssumedRole</code> originating from an EC2 instance. This behavior is a critical indicator of post-compromise activity and can lead to broader unauthorized access, privilege escalation, and data exfiltration if not promptly addressed.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary gains initial access to an AWS environment, often by exploiting a vulnerability in an application running on an EC2 instance, or through compromised credentials that allow access to an instance.</li>
<li>Upon compromising the EC2 instance, the adversary extracts or utilizes the temporary security credentials associated with an IAM role attached to that instance.</li>
<li>The adversary uses these temporary credentials to assume the EC2 instance's IAM role, thereby gaining the permissions assigned to that role within the AWS account.</li>
<li>Leveraging the assumed role's permissions, the adversary executes the <code>iam:CreateUser</code> API call to provision a new, unauthorized IAM user account within the AWS environment.</li>
<li>To enable direct programmatic access for the newly created IAM user, the adversary generates an access key and secret access key for this user using the <code>iam:CreateAccessKey</code> API.</li>
<li>The adversary then attaches specific IAM policies to the newly created user via <code>iam:AttachUserPolicy</code> or <code>iam:PutUserPolicy</code> APIs, granting the desired level of persistent access and privileges to various AWS resources.</li>
<li>With the new IAM user and its associated permissions, the adversary establishes persistent access to the AWS account, enabling continued operations even if the original EC2 instance compromise is mitigated or the temporary role credentials expire.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of this technique grants adversaries persistent, unauthorized access to an AWS account, circumventing initial access vectors. This can lead to significant data breaches, resource manipulation, and further privilege escalation, ultimately impacting the confidentiality, integrity, and availability of an organization's cloud resources. The creation of new IAM users provides a stealthy foothold that is difficult to remove without thorough investigation. If unchecked, the adversary could launch further attacks, disrupt services, exfiltrate sensitive data, or deploy malicious infrastructure, potentially incurring substantial financial, reputational, and operational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM and tune for your environment to detect <code>CreateUser</code> actions originating from EC2 instance assumed roles.</li>
<li>Regularly review <code>aws.cloudtrail</code> logs for <code>CreateUser</code> events, particularly examining the <code>aws.cloudtrail.user_identity.arn</code> and <code>aws.cloudtrail.request_parameters</code> fields to identify any unauthorized IAM user creations.</li>
<li>Restrict IAM role permissions on EC2 instances to only the minimum necessary (<code>least privilege</code>) to prevent assumed roles from having <code>iam:CreateUser</code> or similar high-privilege actions.</li>
<li>Implement proactive monitoring and alerts for <code>CreateAccessKey</code> and <code>AttachUserPolicy</code> actions, especially when performed by newly created users or from unusual sources, as these often follow user creation.</li>
<li>Refer to the AWS IAM documentation and best practices for securing roles and permissions to limit the scope of potential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud</category><category>aws</category><category>persistence</category><category>identity-and-access-management</category><category>ec2</category><category>privilege-escalation</category><category>iam</category></item></channel></rss>