Skip to content

Update Inline Policy for User

Author Last Update
Nick Jones 2020-06-18

An adversary may attempt to update the inline policy set on an IAM user, in order to alter the permissions assigned to a user they have compromised.

MITRE IDs

Required Permissions

  • iam:PutUserPolicy

Required Parameters

Name Type Description Example Value
user str user to add policy to NONE
policyname str name of new inline policy ExamplePolicy
policydocument file file of new inline policy to set file://examplepolicy.json

Attacker Action

aws iam put-user-policy --user-name NONE --policy-name ExamplePolicy --policy-document file://examplepolicy.json

Detection Case

ELK query

When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.

eventName:AttachGroupPolicy AND eventSource:iam.amazonaws.com  

Sigma Definition

---
title: Update Inline Policy for User
id: 3f460fd0-f120-4c06-9365-140d1c4c8fda
status: experimental
author: Nick Jones
date: 2020-06-18
description: An adversary may attempt to update the inline policy set on an IAM user, in order to alter the permissions assigned to a user they have compromised.
logsource:
  service: cloudtrail
detection:
  selection_source:
    - eventSource: "iam.amazonaws.com"
  events:
    - eventName: "AttachGroupPolicy"
  condition: selection_source AND events
level: low
tags:
  - attack.t1089