Add an entity to an IAM role assumption policy¶
|role||str||Name of role to alter||OrganizationAccountAccessRole|
|entityarn||str||ARN of entity to add to the policy||arn:aws:iam::000000000000:root|
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:None AND eventSource:None
--- title: Add an entity to an IAM role assumption policy id: 8dc9a4f7-ce41-4962-a2d2-5625d9e2502d status: experimental author: Nick Jones date: 2023-07-01 description: None logsource: service: cloudtrail detection: selection_source: - eventSource: "None" events: - eventName: "None" condition: selection_source AND events level: low tags: - attack.T1098