AWS Sensitive IAM Operations Performed via CloudShell

  1[metadata]
  2creation_date = "2026/02/10"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/02/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a
 11browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While
 12convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform
 13privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions
 14such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate
 15post-compromise credential harvesting or privilege escalation activity.
 16"""
 17false_positives = [
 18    """
 19    Administrators may legitimately use CloudShell for IAM management tasks during routine operations or
 20    troubleshooting. Verify whether the user, source IP, and specific actions align with expected administrative
 21    workflows. Establish a baseline of normal CloudShell usage patterns to reduce false positives.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS Sensitive IAM Operations Performed via CloudShell"
 29note = """## Triage and analysis
 30
 31### Investigating AWS Sensitive IAM Operations Performed via CloudShell
 32
 33AWS CloudShell is a browser-based shell environment that provides instant command-line access to AWS resources without requiring local CLI installation or credential configuration. While this is convenient for legitimate administrators, it also provides adversaries with a powerful tool if they gain access to a compromised AWS console session. Attackers can use CloudShell to perform sensitive operations without leaving artifacts on their local systems.
 34
 35This rule detects high-risk IAM operations performed via CloudShell, including credential creation, user management, and policy attachment. These actions are commonly seen in post-compromise scenarios where attackers establish persistence or escalate privileges.
 36
 37### Possible investigation steps
 38
 39- **Identify the actor**
 40  - Review `aws.cloudtrail.user_identity.arn` to determine which IAM principal performed the action.
 41  - Check `source.ip` and `source.geo` fields to verify the request origin matches expected administrator locations.
 42  - Investigate the console login event that established the CloudShell session.
 43
 44- **Analyze the specific action**
 45  - Review `event.action` to understand exactly what operation was performed.
 46  - For `CreateAccessKey` or `CreateUser`, identify the target principal and assess whether this was authorized.
 47  - For policy attachments, review which policies were attached and to which entities.
 48
 49- **Review request and response details**
 50  - Examine `aws.cloudtrail.request_parameters` for specifics like user names, policy ARNs, or role configurations.
 51  - Check `aws.cloudtrail.response_elements` for created resource identifiers.
 52
 53- **Correlate with surrounding activity**
 54  - Search for preceding events such as `ConsoleLogin` from the same session or IP address.
 55  - Look for MFA bypass indicators or unusual login patterns before CloudShell usage.
 56  - Check for subsequent use of any created credentials or roles.
 57
 58- **Assess the broader context**
 59  - Determine if this CloudShell usage pattern is typical for this user.
 60  - Review recent access patterns for the console session that initiated CloudShell.
 61
 62### False positive analysis
 63
 64- Routine administrative tasks using CloudShell are common in some organizations. Create baseline profiles for users who regularly use CloudShell.
 65- Infrastructure automation testing may involve CloudShell for quick validation. Verify with the user.
 66
 67
 68### Response and remediation
 69
 70- If unauthorized, immediately terminate the console session and revoke any created credentials.
 71- Rotate credentials for any IAM users or roles that may have been compromised.
 72- Review and remove any unauthorized users, access keys, roles, or policy attachments.
 73- Consider restricting CloudShell access via SCPs or IAM policies for sensitive accounts.
 74- Implement session duration limits to reduce the window of opportunity for console session abuse.
 75
 76### Additional information
 77
 78- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
 79- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 80"""
 81references = [
 82    "https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html",
 83    "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud",
 84    "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a",
 85]
 86risk_score = 47
 87rule_id = "41554afd-d839-4cc2-b185-170ac01cbefc"
 88severity = "medium"
 89tags = [
 90    "Domain: Cloud",
 91    "Data Source: AWS",
 92    "Data Source: Amazon Web Services",
 93    "Data Source: AWS CloudTrail",
 94    "Data Source: AWS IAM",
 95    "Tactic: Persistence",
 96    "Tactic: Privilege Escalation",
 97    "Use Case: Threat Detection",
 98    "Resources: Investigation Guide",
 99]
100timestamp_override = "event.ingested"
101type = "query"
102
103query = '''
104event.dataset: "aws.cloudtrail"
105    and event.provider: "iam.amazonaws.com"
106    and event.action: (
107        "CreateAccessKey" or
108        "CreateUser" or
109        "AttachUserPolicy" or
110        "PutUserPolicy" or
111        "CreateRole" or
112        "AttachRolePolicy" or
113        "PutRolePolicy" or
114        "CreateInstanceProfile" or
115        "AddRoleToInstanceProfile"
116    )
117    and event.outcome: "success"
118    and user_agent.original: *CloudShell*
119'''
120
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1136"
126name = "Create Account"
127reference = "https://attack.mitre.org/techniques/T1136/"
128[[rule.threat.technique.subtechnique]]
129id = "T1136.003"
130name = "Cloud Account"
131reference = "https://attack.mitre.org/techniques/T1136/003/"
132
133
134
135[rule.threat.tactic]
136id = "TA0003"
137name = "Persistence"
138reference = "https://attack.mitre.org/tactics/TA0003/"
139[[rule.threat]]
140framework = "MITRE ATT&CK"
141[[rule.threat.technique]]
142id = "T1098"
143name = "Account Manipulation"
144reference = "https://attack.mitre.org/techniques/T1098/"
145[[rule.threat.technique.subtechnique]]
146id = "T1098.003"
147name = "Additional Cloud Roles"
148reference = "https://attack.mitre.org/techniques/T1098/003/"
149
150
151
152[rule.threat.tactic]
153id = "TA0004"
154name = "Privilege Escalation"
155reference = "https://attack.mitre.org/tactics/TA0004/"
156
157[rule.investigation_fields]
158field_names = [
159    "@timestamp",
160    "user.name",
161    "user_agent.original",
162    "source.ip",
163    "aws.cloudtrail.user_identity.arn",
164    "aws.cloudtrail.user_identity.type",
165    "aws.cloudtrail.user_identity.access_key_id",
166    "event.action",
167    "event.outcome",
168    "cloud.account.id",
169    "cloud.region",
170    "aws.cloudtrail.request_parameters",
171    "aws.cloudtrail.response_elements",
172]