Skip to content

Add a policy to a user

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to add a policy to a user, in order to escalate the privileges of that user.

MITRE IDs

Required Permissions

  • iam:AttachUserPolicy

Required Parameters

Name Type Description Example Value
user str User to add policy to root
policyarn str Policy to add to user arn:aws:iam::aws:policy/ReadOnlyAccess

Attacker Action

aws iam attach-user-policy --user-name  --policy-arn 

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:AttachRolePolicy AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Add a policy to a user
id: ca08ef1e-c37a-4a7e-b1a0-670519faacc2
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to add a policy to a user, in order to escalate the privileges of that user.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "AttachRolePolicy"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089