Add a policy to a group¶
An adversary may attempt to add a policy to a group, in order to alter the permissions assigned to a user they have compromised.
|group||str||Group to add policy to||NONE|
|policyarn||str||Policy to add to group||arn:aws:iam::aws:policy/ReadOnlyAccess|
aws iam attach-group-policy --group-name --policy-arn
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:AttachGroupPolicy AND eventSource:iam.amazonaws.com
--- title: Add a policy to a group id: 299b8380-8447-4f24-8520-c7a3c0008ef8 status: experimental author: Nick Jones date: 2023-07-01 description: An adversary may attempt to add a policy to a group, in order to alter the permissions assigned to a user they have compromised. logsource: service: cloudtrail detection: selection_source: - eventSource: "iam.amazonaws.com" events: - eventName: "AttachGroupPolicy" condition: selection_source AND events level: low tags: - attack.T1098