AWS IAM permission groups discovery operation

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2026-01-27
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery: Cloud Groups (T1069.003)
Severity	Informational

Description

AWS IAM permission groups discovery operation.

Attacker's Goals

Understand the IAM structure and relationships between users, groups, and roles.
Identify high-privilege identities or misconfigurations for privilege escalation.

Investigative actions

Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address.
Check if the operation is followed by or correlated with other enumeration actions.

Variations

Unusual AWS IAM permission groups discovery operation

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Permission Groups Discovery: Cloud Groups (T1069.003)
Severity	Informational

Description

First execution of an AWS IAM permission groups discovery operation by a non-user identity.

Attacker's Goals

Understand the IAM structure and relationships between users, groups, and roles.
Identify high-privilege identities or misconfigurations for privilege escalation.

Investigative actions

Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address.
Check if the operation is followed by or correlated with other enumeration actions.