heroui logo

aws detect role creation

Splunk Security Content

View Source
Summary
This rule analyzes AWS CloudWatch logs to identify the creation of new IAM roles by users, particularly focusing on events associated with the `CreateRole` action. Such activities are crucial to monitor since unauthorized role creation can serve as a vector for lateral movement and privilege escalation within AWS environments. By scrutinizing roles that include specific trust policies, the detection aims to flag potentially malicious activity that could result in attackers obtaining elevated permissions and compromising sensitive resources. The rule relies on structured log data from AWS and generates a table of relevant user actions for analysis, allowing for efficient incident response and management.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
  • Logon Session
ATT&CK Techniques
  • T1078
Created: 2024-11-14