Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity attached an administrative policy to an IAM user or role.
Attacker's Goals
Escalate privileges in cloud environments.
Investigative actions
- Confirm whether this activity was intentional.
- Check for other API calls that were executed by the identity.
- Look for any suspicious behavior from the IAM user or role to whom the administrative policy was attached.
Variations
An identity attached an administrative policy to itselfAn identity failed to attach an administrative policy to an IAM user or role
A suspicious identity attached an administrative policy to an IAM user/role