Update Inline Policy for User
An adversary may attempt to update the inline policy set on an IAM user, in order to alter the permissions assigned to a user they have compromised.
|user||str||user to add policy to||NONE|
|policyname||str||name of new inline policy||ExamplePolicy|
|policydocument||file||file of new inline policy to set||file://examplepolicy.json|
aws iam put-user-policy --user-name NONE --policy-name ExamplePolicy --policy-document file://examplepolicy.json
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:AttachGroupPolicy AND eventSource:iam.amazonaws.com
--- title: Update Inline Policy for User id: 3f460fd0-f120-4c06-9365-140d1c4c8fda status: experimental author: Nick Jones date: 2020-06-18 description: An adversary may attempt to update the inline policy set on an IAM user, in order to alter the permissions assigned to a user they have compromised. logsource: service: cloudtrail detection: selection_source: - eventSource: "iam.amazonaws.com" events: - eventName: "AttachGroupPolicy" condition: selection_source AND events level: low tags: - attack.t1089