Add a policy to a role
An adversary may attempt to add a policy to a role, in order to grant additional privileges to a compromised resource.
|role||str||Role to add policy to||ReadOnlyRole|
|policyarn||str||Policy to add to Role||arn:aws:iam::aws:policy/ReadOnlyAccess|
aws iam attach-role-policy --role-name --policy-arn
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
--- title: Add a policy to a role id: cdf3b0fc-0c45-4bb4-89f2-1c6b2661ec52 status: experimental author: Nick Jones date: 2020-06-18 description: An adversary may attempt to add a policy to a role, in order to grant additional privileges to a compromised resource. logsource: service: cloudtrail detection: selection_source: - eventSource: "" events: - eventName: "AttachRolePolicy" condition: selection_source AND events level: low tags: - attack.t1089