Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.
Rule type: query
Risk score: 21
Runs every: 10 minutes
Maximum alerts per execution: 100
- Continuous Monitoring
- Identity and Access
Version: 3 (version history)
Added (Elastic Stack release): 7.9.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If a known behavior is causing false positives, it can be excluded from the rule.
The AWS Filebeat module must be enabled to use this rule.
event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success
Framework: MITRE ATT&CKTM
- Version 3 (7.11.2 release)
- Formatting only
- Version 2 (7.10.0 release)
Updated query, changed from:
event.module:aws and event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success