aiwg
Version:
Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo
93 lines (92 loc) • 3.48 kB
YAML
title: AWS IAM Privilege Escalation
id: 4a2b6c8d-1e3f-5a7b-9c2d-4e5f6a7b8c9d
status: stable
description: Detects IAM privilege escalation actions in AWS CloudTrail. Covers the
most common escalation paths including creating new policy versions, attaching policies
to users or roles, and creating access keys for other users. These actions allow an
attacker with limited IAM write permissions to gain full administrative access.
references:
- https://attack.mitre.org/techniques/T1078/004/
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
author: forensics-complete
date: 2025-11-14
modified: 2025-11-14
tags:
- attack.privilege_escalation
- attack.t1078.004
- attack.persistence
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection_create_policy:
eventName: 'CreatePolicyVersion'
requestParameters.setAsDefault: 'true'
selection_attach_policy:
eventName:
- 'AttachUserPolicy'
- 'AttachRolePolicy'
- 'AttachGroupPolicy'
requestParameters.policyArn|contains: 'AdministratorAccess'
selection_create_access_key:
eventName: 'CreateAccessKey'
# Escalation pattern: creating a key for a different user (not self-service)
# This filter identifies keys created for another user
requestParameters.userName|exists: true
selection_set_default_policy:
eventName: 'SetDefaultPolicyVersion'
selection_add_user_to_group:
eventName: 'AddUserToGroup'
requestParameters.groupName|contains:
- 'Admin'
- 'admin'
- 'administrator'
selection_update_assume_role:
eventName: 'UpdateAssumeRolePolicy'
condition: selection_create_policy or selection_attach_policy or
selection_create_access_key or selection_set_default_policy or
selection_add_user_to_group or selection_update_assume_role
falsepositives:
- Legitimate IAM administrators performing routine policy management
- Infrastructure automation (Terraform, CDK) applying expected configuration changes
- Onboarding workflows that create access keys for new users
level: high
fields:
- eventTime
- userIdentity.arn
- userIdentity.type
- userIdentity.accountId
- eventName
- requestParameters
- sourceIPAddress
- userAgent
- awsRegion
# Detection Logic Note
#
# CloudTrail query to find IAM escalation events (AWS CLI):
#
# aws cloudtrail lookup-events \
# --lookup-attributes AttributeKey=EventName,AttributeValue=CreatePolicyVersion \
# --start-time 2025-11-01 --end-time 2025-11-15 \
# --output json | jq '.Events[].CloudTrailEvent | fromjson |
# {time: .eventTime, user: .userIdentity.arn, action: .eventName, ip: .sourceIPAddress}'
#
# Athena query for CloudTrail in S3:
#
# SELECT eventtime, useridentity.arn, eventname, sourceipaddress, requestparameters
# FROM cloudtrail_logs
# WHERE eventname IN (
# 'CreatePolicyVersion', 'AttachUserPolicy', 'AttachRolePolicy',
# 'CreateAccessKey', 'AddUserToGroup', 'UpdateAssumeRolePolicy'
# )
# AND eventtime > '2025-11-01'
# ORDER BY eventtime;
#
# High-value escalation paths to investigate:
# 1. iam:CreatePolicyVersion + iam:SetDefaultPolicyVersion = admin via policy
# 2. iam:AttachUserPolicy with AdministratorAccess = direct admin grant
# 3. iam:CreateAccessKey for another user = credential theft
# 4. iam:UpdateAssumeRolePolicy = trust policy manipulation