Skip to content

Add a policy to a group

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to add a policy to a group, in order to alter the permissions assigned to a user they have compromised.

MITRE IDs

Required Permissions

  • iam:AttachGroupPolicy

Required Parameters

Name Type Description Example Value
group str Group to add policy to NONE
policyarn str Policy to add to group arn:aws:iam::aws:policy/ReadOnlyAccess

Attacker Action

aws iam attach-group-policy --group-name  --policy-arn 

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:AttachGroupPolicy AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Add a policy to a group
id: 299b8380-8447-4f24-8520-c7a3c0008ef8
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to add a policy to a group, in order to alter the permissions assigned to a user they have compromised.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "AttachGroupPolicy"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089