heroui logo

ASL AWS Create Policy Version to allow all resources

Splunk Security Content

View Source
Summary
This detection rule identifies the creation of an AWS IAM policy version that grants broad access to all resources, which is a violation of the principle of least privilege. It analyzes AWS CloudTrail logs for specific API events (CreatePolicyVersion) and inspects the policy document for entries that allow all actions ('*') on all resources ('*'). The potential implications of such an action are significant; it can lead to unauthorized access, data exfiltration, or actions that may compromise the AWS environment further. The ruleset offers details on how to implement, known false positives, and references to further reading for understanding the security implications of such policies.
Categories
  • Cloud
  • AWS
Data Sources
  • Pod
  • Cloud Service
  • Application Log
ATT&CK Techniques
  • T1078.004
  • T1078
Created: 2024-12-12