Add an IAM User
An attacker may attempt to create an IAM user, in order to provide another means of authenticating to the AWS account
|user||str||IAM user to create||example-user|
aws iam create-user --user-name example-user
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:CreateUser AND eventSource:iam.amazonaws.com
--- title: Add an IAM User id: 6f660a21-0fcd-4b51-9894-4d2d8213f45b status: experimental author: Nick Jones date: 2020-06-18 description: An attacker may attempt to create an IAM user, in order to provide another means of authenticating to the AWS account logsource: service: cloudtrail detection: selection_source: - eventSource: "iam.amazonaws.com" events: - eventName: "CreateUser" condition: selection_source AND events level: low tags: - attack.t1089