AWS IAM User created with AdministratorAccess policy attached

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS IAM user is created and the managed AdministratorAccess policy is attached shortly after.

Strategy

This rule leverages CloudTrail and triggers if an CreateUser API call is followed by the AWS managed policy AdministratorAccess being attached for the requested IAM user within 10 minutes. This can be an indicator of an attacker trying to preserve access to the AWS environment and to ensure the level of privileges required to achieve their objectives.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have carried out this operation.
  2. If the API calls were not made by the user:
  • Rotate user credentials.
  • Remove the newly created IAM user {{@requestParameters.userName}}.
  • Determine what other API calls were made by the user and the newly created user {{@requestParameters.userName}}.
  • Begin your organization’s incident response process and investigate.
  1. If the API call was made legitimately by the user:
  • It is recommended that IAM roles are used for human users and workloads so that they use temporary credentials.
  • If an IAM user is required, advise the user to find the least privileged policy that allows the user to operate as intended.
  • If not, see if other API calls were made by the user and determine if they warrant further investigation.
PREVIEWING: may/unit-testing