AWS IAM AdministratorAccess Policy Attached to User

  1[metadata]
  2creation_date = "2024/05/30"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/10/13"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
 11additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation
 12to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
 13"""
 14false_positives = [
 15    """
 16    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
 17    should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target
 18    user.
 19    """,
 20]
 21from = "now-6m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "AWS IAM AdministratorAccess Policy Attached to User"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating AWS IAM AdministratorAccess Policy Attached to User
 32
 33The AWS-managed `AdministratorAccess` policy grants full access to all AWS services and resources.  
 34When attached to a user, it effectively elevates that user to full administrative privileges.  
 35An adversary with `iam:AttachUserPolicy` permissions can abuse this operation to escalate privileges or maintain persistence.  
 36This rule detects `AttachUserPolicy` events where the attached policy name is `AdministratorAccess`.
 37
 38#### Possible investigation steps
 39
 40- **Validate intent and context.**  
 41  Identify the calling user (`aws.cloudtrail.user_identity.arn`) and the target IAM user (`aws.cloudtrail.request_parameters.userName`).  
 42  Confirm whether this was an intentional administrative action, part of provisioning automation, or a potential privilege escalation.  
 43
 44- **Review CloudTrail event details.**  
 45  Check `source.ip`, `user_agent.original`, and `source.geo` fields.  
 46  Compare to historical login or automation behavior. Unrecognized IPs, non-SDK user agents, or new regions may indicate misuse.  
 47
 48- **Correlate with related IAM activity.**  
 49  Search CloudTrail for additional IAM events around the same time (`CreateUser`, `CreateAccessKey`, `AttachGroupPolicy`, `PutUserPolicy`, etc.) that could indicate lateral movement or persistence attempts.  
 50
 51- **Review the target user’s permissions.**  
 52  Determine if the target user already had elevated privileges or if this represents a meaningful privilege increase.  
 53  Check for new API calls from the target user post-attachment, especially `CreateAccessKey`, `UpdateAssumeRolePolicy`, or S3 access attempts.  
 54
 55- **Investigate associated entities.**  
 56  Look for other alerts tied to the same caller or target within the past 48 hours to identify potential correlated activity.  
 57
 58### False positive analysis
 59
 60- **Legitimate administrative change.**  
 61  Policy attachments may be expected during provisioning or troubleshooting. Validate through change management records.  
 62- **Authorized automation.**  
 63  Some CI/CD pipelines or identity automation systems temporarily attach this policy. Review automation logs and intended IAM behavior.  
 64- **Delegated admin scenarios.**  
 65  Verify if the calling user or role is part of a delegated IAM administration group.
 66
 67### Response and remediation
 68
 69> Per AWS IR Playbooks, unauthorized administrative policy attachment represents a Privilege Escalation event.
 70
 71**1. Immediate containment**
 72- Detach the policy. Remove the `AdministratorAccess` policy from the affected IAM user immediately (`aws iam detach-user-policy`).  
 73- Rotate credentials. Rotate passwords and access keys for both the caller and target users.  
 74- Restrict IAM permissions. Temporarily remove `iam:AttachUserPolicy` privileges from non-administrative roles during scoping.  
 75- Enable or confirm MFA for affected accounts.  
 76
 77**2. Evidence preservation**
 78- Export related `AttachUserPolicy` CloudTrail events ±30 minutes from the alert to a secure evidence bucket.  
 79- Preserve GuardDuty findings and AWS Config snapshots for correlation.  
 80
 81**3. Scoping and investigation**
 82- Search CloudTrail for subsequent use of the affected user’s credentials.  
 83  Look for newly created keys, S3 access, or changes to IAM trust policies.  
 84- Review other accounts for similar policy attachment attempts from the same user or IP.  
 85
 86**4. Recovery and hardening**
 87- Reinforce least privilege by granting only role-based admin access instead of direct user-level AdministratorAccess.  
 88- Implement IAM service control policies (SCPs) to prevent attachment of `AdministratorAccess` except for trusted roles.  
 89- Enable CloudTrail, GuardDuty, and Security Hub across all regions.  
 90- Regularly audit IAM policy attachments through AWS Config or CloudFormation drift detection.  
 91
 92### Additional information
 93
 94- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/): response steps related to IAM policy modification and unauthorized privilege escalation.  
 95- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/):** for containment, analysis, and recovery guidance.  
 96- **AWS Documentation:** [AdministratorAccess Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator).  
 97- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).  
 98"""
 99references = [
100    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html",
101    "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html",
102    "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/",
103]
104risk_score = 47
105rule_id = "9aa4be8d-5828-417d-9f54-7cd304571b24"
106severity = "medium"
107tags = [
108    "Domain: Cloud",
109    "Data Source: AWS",
110    "Data Source: Amazon Web Services",
111    "Data Source: AWS IAM",
112    "Use Case: Identity and Access Audit",
113    "Tactic: Privilege Escalation",
114    "Tactic: Persistence",
115    "Resources: Investigation Guide",
116]
117timestamp_override = "event.ingested"
118type = "eql"
119
120query = '''
121iam where event.dataset == "aws.cloudtrail"
122   and event.provider == "iam.amazonaws.com"
123   and event.action == "AttachUserPolicy"
124   and event.outcome == "success"
125   and stringContains(aws.cloudtrail.request_parameters, "policyArn=arn:aws:iam::aws:policy/AdministratorAccess")
126'''
127
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1098"
133name = "Account Manipulation"
134reference = "https://attack.mitre.org/techniques/T1098/"
135[[rule.threat.technique.subtechnique]]
136id = "T1098.003"
137name = "Additional Cloud Roles"
138reference = "https://attack.mitre.org/techniques/T1098/003/"
139
140
141
142[rule.threat.tactic]
143id = "TA0004"
144name = "Privilege Escalation"
145reference = "https://attack.mitre.org/tactics/TA0004/"
146[[rule.threat]]
147framework = "MITRE ATT&CK"
148[[rule.threat.technique]]
149id = "T1098"
150name = "Account Manipulation"
151reference = "https://attack.mitre.org/techniques/T1098/"
152[[rule.threat.technique.subtechnique]]
153id = "T1098.003"
154name = "Additional Cloud Roles"
155reference = "https://attack.mitre.org/techniques/T1098/003/"
156
157
158
159[rule.threat.tactic]
160id = "TA0003"
161name = "Persistence"
162reference = "https://attack.mitre.org/tactics/TA0003/"
163
164[rule.investigation_fields]
165field_names = [
166    "@timestamp",
167    "user.name",
168    "user_agent.original",
169    "source.ip",
170    "aws.cloudtrail.user_identity.arn",
171    "aws.cloudtrail.user_identity.type",
172    "aws.cloudtrail.user_identity.access_key_id",
173    "event.action",
174    "user.target.name",
175    "event.outcome",
176    "cloud.account.id",
177    "cloud.region",
178    "aws.cloudtrail.request_parameters",
179]