An identity attached an administrative policy to an IAM user or role

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-11-09

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Privilege Escalation (TA0004) Persistence (TA0003)
ATT&CK Technique	Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Roles (T1098.003)
Severity	Informational

Description

An identity attached an administrative policy to an IAM user or role.

Attacker's Goals

Escalate privileges in cloud environments.

Investigative actions

Confirm whether this activity was intentional.
Check for other API calls that were executed by the identity.
Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

Variations

An identity with high administrative activity attached an administrative policy to an IAM user/role

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An identity with high administrative activity attached an administrative policy to an IAM user/role.

Attacker's Goals

Escalate privileges in cloud environments.

Investigative actions

Confirm whether this activity was intentional.
Check for other API calls that were executed by the identity.
Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

An identity attached an administrative policy to itself

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An identity attached an administrative policy to an IAM user or role.

Attacker's Goals

Escalate privileges in cloud environments.

Investigative actions

Confirm whether this activity was intentional.
Check for other API calls that were executed by the identity.
Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

An identity failed to attach an administrative policy to an IAM user or role

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An identity attached an administrative policy to an IAM user or role.

Attacker's Goals

Escalate privileges in cloud environments.

Investigative actions

Confirm whether this activity was intentional.
Check for other API calls that were executed by the identity.
Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.

A suspicious identity attached an administrative policy to an IAM user/role

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity attached an administrative policy to an IAM user or role.

Attacker's Goals

Escalate privileges in cloud environments.

Investigative actions

Confirm whether this activity was intentional.
Check for other API calls that were executed by the identity.
Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.