Skip to content

Change default policy version

Author Last Update
Nick Jones 2020-06-18

An attacker may attempt to change the default policy version of a policy to one that includes a different set of permissions

MITRE IDs

Required Permissions

  • iam:SetDefaultPolicyVersion

Required Parameters

Name Type Description Example Value
policy_arn str ARN of the policy to create a new version for arn:aws:iam::123456789012:policy/test
policy_version str Version of the policy to set as default v2

Attacker Action

aws iam set-default-policy-version –policy-arn policy_arn –version-id policy_version

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:SetDefaultPolicyVersion AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Change default policy version
id: 089c1b6a-1d77-4071-aac7-c91488ad88d5
status: experimental
author: Nick Jones
date: 2020-06-18
description: An attacker may attempt to change the default policy version of a policy to one that includes a different set of permissions
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "SetDefaultPolicyVersion"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089