Skip to content

Add an IAM User

Author Last Update
Nick Jones 2020-06-18

An attacker may attempt to create an IAM user, in order to provide another means of authenticating to the AWS account

MITRE IDs

Required Permissions

  • iam:CreateUser

Required Parameters

Name Type Description Example Value
user str IAM user to create example-user

Attacker Action

aws iam create-user --user-name example-user

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:CreateUser AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Add an IAM User
id: 6f660a21-0fcd-4b51-9894-4d2d8213f45b
status: experimental
author: Nick Jones
date: 2020-06-18
description: An attacker may attempt to create an IAM user, in order to provide another means of authenticating to the AWS account
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "CreateUser"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089