Skip to content

Create Policy

Author Last Update
Nick Jones 2020-06-18

An attacker may attempt to create a new version of a given IAM policy in order to attach extra permissions to an entity they control.

MITRE IDs

Required Permissions

  • iam:CreatePolicy

Required Parameters

Name Type Description Example Value
policy_name str ARN of the policy to create a new version for arn:aws:iam::123456789012:policy/test
policy_document str New policy to upload - for the CLI, this should be a path to the json document. For Leonidas, this should be the JSON document itself. file://path/to/administrator/policy.json

Attacker Action

aws iam create-policy --policy-name arn:aws:iam::123456789012:policy/test --policy-document file://path/to/administrator/policy.json

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:CreatePolicy AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Create Policy
id: 1352e02d-4207-4709-8980-b3a08f346c6d
status: experimental
author: Nick Jones
date: 2020-06-18
description: An attacker may attempt to create a new version of a given IAM policy in order to attach extra permissions to an entity they control.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "CreatePolicy"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089