This rule detects an update to the "AssumeRole" policy The "AssumeRole" policy is a critical aspect of IAM that is used to delegate access to AWS resources in a secure and controlled manner. Impact An adversary may attempt to modify a assume role policy in order to weaken an organization's security controls. Mitigation Investigate the change and validate if the user was authorized to perform the update action. MITRE Tactic: TA0004 MITRE Technique: T1484

This rule detects the updating of a password policy. Impact An adversary may attempt to modify a password policy in order to weaken an organization's security controls. Mitigation Investigate the change and validate if the user was authorized to perform the update action. MITRE Tactic: TA0004 MITRE Technique: T1484

This rule detects the removing of a user from a group. Impact An adversary may remove a group to revoke the access of users to disrupt normal operations. Mitigation Verify that the remove operation and the user performing it were legitimate. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects updates to an IAM inline policy of a user. Impact Attaching inline policies with excessive privileges could lead to privilege escalation, it is hard to keep track of permissions and make adjustments since the policy is individual for that user and can potentially allow a malicious actor to commit malicious actions and enable an attack. Mitigation Remove the inline user policy, If the user requires these privileges to perform his work and daily tasks, add him to a designated user group with the relevant permissions. Always manage permissions and privileges using specific role groups with specific permissions this is the preferred way to handle user permissions in AWS and is considered the best practice. MITRE Tactic: TA0004 MITRE Technique: T1078

This rule detects AWS IAM password recovery requests. Impact Password recovery is an important authentication mechanism; An unauthorized password recovery request could indicate malicious activity. Mitigation Investigate the change and validate the action since password recovery request might be an adversary tactic for account take over. MITRE Tactic: TA0003 MITRE Technique: T1098

This rule detects the deletion of the MFA configuration of the root user. A virtual MFA is software two-factor authentication solution (authenticator app) which for itself is considered less safe than a hardware 2FA device. Impact Without MFA, access to the root user will only require a username / password combination. This significantly reduces the security of the root account and if performed by an adversary is definitely a malicious action. In general, according to AWS guidelines, the use of the root account is unadvised. Therefore root user activity is considered a highly irregular event and could indicate an attacker activity on the root account. Mitigation Investigate the change and validate the action with the performing user since the removal of MFA might indicate malicious activity. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects the deletion of a user group. Impact Group deletion actions should be reviewed and validated as authorized. An adversary can delete a group to harm or evade detection. Bulk deletion operations (many consecutive group deletion alerts) should be especially inspected. consecutive deletion alerts can also be configured by fine-tuning this alert. Mitigation Validate that the action was approved and investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects the deletion of an AWS user via AWS SSO / IAM Identity center. This differs from a user being deleted through IAM console as it could also include users from other directories as Okta / Active Directory / Azure AD / JumpCloud etc. Impact User deletion actions should be reviewed and validated as authorized. An adversary can delete a user to harm or evade detection. Bulk deletion operations (many consecutive user deletion alerts) should be especially inspected. consecutive deletion alerts can also be configured by fine-tuning this alert. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects the deletion of an AWS user. Impact User deletion actions should be reviewed and validated as authorized. An adversary can delete a user to harm or evade detection. Bulk deletion operations (many consecutive user deletion alerts) should be especially inspected. consecutive deletion alerts can also be configured by fine-tuning this alert. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects when a user is given an access key. When an IAM user is given an access key in AWS, it allows the user to programmatically access AWS resources and services using the AWS API or command-line tools. The access key consists of an access key ID and a secret access key, which are required to authenticate the user's requests to AWS. Impact If an adversary gains access to an IAM user's access key, they can use it to launch attacks on AWS resources and services, such as launching instances, accessing data, or modifying configurations. Mitigation To mitigate these risks, it is recommended to enable MFA for all IAM users and rotate access keys regularly. Additionally, users should only be granted the minimum permissions necessary to perform their required tasks, and those permissions should be reviewed and updated regularly to prevent unauthorized access. MITRE Tactic: TA0005 MITRE Technique: T1578

This rule detects when an IAM user is created. Impact If an adversary gains access to create an IAM user in an AWS environment, he can create a new IAM user with elevated privileges and use it to gain access to sensitive data or resources. They could also modify existing IAM policies to gain additional permissions. Mitigation Verify if the create user action was valid. To mitigate the impact of such attacks, it is recommended to follow AWS best practices for IAM management, such as enabling multi-factor authentication (MFA) and monitoring IAM activity. MITRE Tactic: TA0005 MITRE Technique: T1578

IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. Impact When an access analyzer is deleted, It gives a chance to the malicious actor to share access to the environment without being detected. Mitigation Validate that this activity is legitimate, if not investigate further according to company policies. Create a new Access Analyzer. MITRE Tactic: TA0006 MITRE Technique: T1552

This alert detects whenever an IAM user is removed from the admins group.

This alert detects whenever an IAM user is added to the admins group.

This flow alert detects when a user was added briefly to the admins group and then removed after a short period of time