AWS IAM Group Creation
Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/06/05"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple
11users. Any user in a group automatically has the permissions that are assigned to the group.
12"""
13false_positives = [
14 """
15 A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or
16 hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be
17 investigated. If known behavior is causing false positives, it can be exempted from the rule.
18 """,
19]
20from = "now-60m"
21index = ["filebeat-*", "logs-aws.cloudtrail-*"]
22interval = "10m"
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS IAM Group Creation"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
31 "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html",
32]
33risk_score = 21
34rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
35severity = "low"
36tags = [
37 "Domain: Cloud",
38 "Data Source: AWS",
39 "Data Source: Amazon Web Services",
40 "Data Source: AWS IAM",
41 "Use Case: Identity and Access Audit",
42 "Tactic: Persistence",
43]
44timestamp_override = "event.ingested"
45type = "query"
46
47query = '''
48event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1136"
56name = "Create Account"
57reference = "https://attack.mitre.org/techniques/T1136/"
58[[rule.threat.technique.subtechnique]]
59id = "T1136.003"
60name = "Cloud Account"
61reference = "https://attack.mitre.org/techniques/T1136/003/"
62
63
64
65[rule.threat.tactic]
66id = "TA0003"
67name = "Persistence"
68reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Options --path (string) The path to the group. For more information about paths, see IAM identifiers in the IAM User Guide . This parameter is optional. If it is not included, it defaults to a slas...
Read More -
Related rules
- AWS IAM User Addition to Group
- AWS EC2 Admin Credential Fetch via Assumed Role
- AWS EC2 Network Access Control List Creation
- AWS IAM Assume Role Policy Update
- AWS IAM Brute Force of Assume Role Policy