Skip to content

Add an entity to an IAM role assumption policy

Author Last Update
Nick Jones 2020-06-18

None

MITRE IDs

Required Permissions

  • iam:GetRole
  • iam:UpdateAssumeRolePolicy

Required Parameters

Name Type Description Example Value
role str Name of role to alter OrganizationAccountAccessRole
entityarn str ARN of entity to add to the policy arn:aws:iam::000000000000:root

Attacker Action

aws -h

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:None AND eventSource:None  

Sigma Definition

---
title: Add an entity to an IAM role assumption policy
id: 8dc9a4f7-ce41-4962-a2d2-5625d9e2502d
status: experimental
author: Nick Jones
date: 2020-06-18
description: None
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "None"
  events:
    - eventName: "None"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089