Enumerate IAM Permissions with GetAccountAuthorizationDetails
An adversary may attempt to enumerate the configured IAM users within an account, to identify entities that they might wish to gain access to or backdoor.
aws iam get-account-authorization-details
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:GetAccountAuthorizationDetails AND eventSource:*.iam.amazonaws.com
--- title: Enumerate IAM Permissions with GetAccountAuthorizationDetails id: 53597a1f-06bd-4a81-9378-7e889fed52c4 status: experimental author: Nick Jones date: 2020-06-18 description: An adversary may attempt to enumerate the configured IAM users within an account, to identify entities that they might wish to gain access to or backdoor. logsource: service: cloudtrail detection: selection_source: - eventSource: "*.iam.amazonaws.com" events: - eventName: "GetAccountAuthorizationDetails" condition: selection_source AND events level: low tags: - attack.t1089