AWS IAM Group Creation
Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/06/05"
3integration = ["aws"]
4maturity = "production"
5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
6min_stack_version = "8.9.0"
7updated_date = "2023/10/24"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple
13users. Any user in a group automatically has the permissions that are assigned to the group.
14"""
15false_positives = [
16 """
17 A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or
18 hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be
19 investigated. If known behavior is causing false positives, it can be exempted from the rule.
20 """,
21]
22from = "now-60m"
23index = ["filebeat-*", "logs-aws*"]
24interval = "10m"
25language = "kuery"
26license = "Elastic License v2"
27name = "AWS IAM Group Creation"
28note = """## Setup
29
30The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
31references = [
32 "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html",
33 "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html",
34]
35risk_score = 21
36rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
37severity = "low"
38tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1136"
51name = "Create Account"
52reference = "https://attack.mitre.org/techniques/T1136/"
53[[rule.threat.technique.subtechnique]]
54id = "T1136.003"
55name = "Cloud Account"
56reference = "https://attack.mitre.org/techniques/T1136/003/"
57
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS IAM User Addition to Group
- AWS EC2 Network Access Control List Creation
- AWS IAM Assume Role Policy Update
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM Password Recovery Requested