Add a policy to a user¶
An adversary may attempt to add a policy to a user, in order to escalate the privileges of that user.
|user||str||User to add policy to||root|
|policyarn||str||Policy to add to user||arn:aws:iam::aws:policy/ReadOnlyAccess|
aws iam attach-user-policy --user-name --policy-arn
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:AttachUserPolicy AND eventSource:iam.amazonaws.com
--- title: Add a policy to a user id: ca08ef1e-c37a-4a7e-b1a0-670519faacc2 status: experimental author: Nick Jones date: 2023-07-01 description: An adversary may attempt to add a policy to a user, in order to escalate the privileges of that user. logsource: service: cloudtrail detection: selection_source: - eventSource: "iam.amazonaws.com" events: - eventName: "AttachUserPolicy" condition: selection_source AND events level: low tags: - attack.T1098