Add an entity to an IAM role assumption policy¶
| Platform | Author | Last Update |
|---|---|---|
| aws | Nick Jones | 2023-07-01 |
None
MITRE IDs¶
Required Permissions¶
- iam:GetRole
- iam:UpdateAssumeRolePolicy
Required Parameters¶
| Name | Type | Description | Example Value |
|---|---|---|---|
| role | str | Name of role to alter | OrganizationAccountAccessRole |
| entityarn | str | ARN of entity to add to the policy | arn:aws:iam::000000000000:root |
Attacker Action¶
aws -h
Detection Case¶
ELK query¶
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:None AND eventSource:None
Sigma Definition¶
---
title: Add an entity to an IAM role assumption policy
id: 8dc9a4f7-ce41-4962-a2d2-5625d9e2502d
status: experimental
author: Nick Jones
date: 2023-07-01
description: None
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: "None"
events:
- eventName: "None"
condition: selection_source AND events
level: low
tags:
- attack.T1098