heroui logo

AWS IAM Roles Anywhere Profile Creation

Elastic Detection Rules

View Source
Summary
This threat detection rule identifies the creation of an AWS Roles Anywhere profile, a feature that allows the use of AWS Identity and Access Management (IAM) profiles for managing access to AWS resources from any location via trusted anchors. The rule aims to uncover potential abuse by adversaries who might create such profiles linked to overly permissive roles to sustain unauthorized access to AWS assets. The detection mechanism uses AWS CloudTrail logs to filter for events indicating successful profile creation. Security teams are advised to ensure that such creations are legitimate and that involved permissions are closely monitored to prevent unauthorized resource access.
Categories
  • Cloud
  • AWS
  • Identity Management
Data Sources
  • Cloud Service
  • Application Log
  • Network Traffic
ATT&CK Techniques
  • T1098
  • T1098.003
Created: 2024-04-20