Skip to content

Create New Policy Version

Author Last Update
Nick Jones 2020-06-18

An attacker may attempt to create a new version of a given IAM policy in order to attach extra permissions to an entity they control.

MITRE IDs

Required Permissions

  • iam:CreatePolicyVersion

Required Parameters

Name Type Description Example Value
policy_arn str ARN of the policy to create a new version for arn:aws:iam::123456789012:policy/test
policy_document str New policy to upload - for the CLI, this should be a path to the json document. For Leonidas, this should be the JSON document itself. file://path/to/administrator/policy.json

Attacker Action

aws iam create-policy-version –policy-arn policy_arn –policy-document policy_document –set-as-default 

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:CreatePolicyVersion AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Create New Policy Version
id: b5104c3a-40f4-464a-934a-a917a89faf1a
status: experimental
author: Nick Jones
date: 2020-06-18
description: An attacker may attempt to create a new version of a given IAM policy in order to attach extra permissions to an entity they control.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "CreatePolicyVersion"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089