AWS IAM AdministratorAccess Policy Attached to User

  1[metadata]
  2creation_date = "2024/05/30"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching
 11additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation
 12to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
 13"""
 14false_positives = [
 15    """
 16    While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity
 17    should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target
 18    user.
 19    """,
 20]
 21from = "now-6m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "AWS IAM AdministratorAccess Policy Attached to User"
 26note = """## Triage and analysis
 27
 28### Investigating AWS IAM AdministratorAccess Policy Attached to User
 29
 30The AWS-managed `AdministratorAccess` policy grants full access to all AWS services and resources.  
 31When attached to a user, it effectively elevates that user to full administrative privileges.  
 32An adversary with `iam:AttachUserPolicy` permissions can abuse this operation to escalate privileges or maintain persistence.  
 33This rule detects `AttachUserPolicy` events where the attached policy name is `AdministratorAccess`.
 34
 35#### Possible investigation steps
 36
 37- **Validate intent and context.**  
 38  Identify the calling user (`aws.cloudtrail.user_identity.arn`) and the target IAM user (`aws.cloudtrail.request_parameters.userName`).  
 39  Confirm whether this was an intentional administrative action, part of provisioning automation, or a potential privilege escalation.  
 40
 41- **Review CloudTrail event details.**  
 42  Check `source.ip`, `user_agent.original`, and `source.geo` fields.  
 43  Compare to historical login or automation behavior. Unrecognized IPs, non-SDK user agents, or new regions may indicate misuse.  
 44
 45- **Correlate with related IAM activity.**  
 46  Search CloudTrail for additional IAM events around the same time (`CreateUser`, `CreateAccessKey`, `AttachGroupPolicy`, `PutUserPolicy`, etc.) that could indicate lateral movement or persistence attempts.  
 47
 48- **Review the target user’s permissions.**  
 49  Determine if the target user already had elevated privileges or if this represents a meaningful privilege increase.  
 50  Check for new API calls from the target user post-attachment, especially `CreateAccessKey`, `UpdateAssumeRolePolicy`, or S3 access attempts.  
 51
 52- **Investigate associated entities.**  
 53  Look for other alerts tied to the same caller or target within the past 48 hours to identify potential correlated activity.  
 54
 55### False positive analysis
 56
 57- **Legitimate administrative change.**  
 58  Policy attachments may be expected during provisioning or troubleshooting. Validate through change management records.  
 59- **Authorized automation.**  
 60  Some CI/CD pipelines or identity automation systems temporarily attach this policy. Review automation logs and intended IAM behavior.  
 61- **Delegated admin scenarios.**  
 62  Verify if the calling user or role is part of a delegated IAM administration group.
 63
 64### Response and remediation
 65
 66**Immediate containment**
 67- Detach the policy. Remove the `AdministratorAccess` policy from the affected IAM user immediately (`aws iam detach-user-policy`).  
 68- Rotate credentials. Rotate passwords and access keys for both the caller and target users.  
 69- Restrict IAM permissions. Temporarily remove `iam:AttachUserPolicy` privileges from non-administrative roles during scoping.  
 70- Enable or confirm MFA for affected accounts.  
 71
 72**Evidence preservation**
 73- Export related `AttachUserPolicy` CloudTrail events ±30 minutes from the alert to a secure evidence bucket.  
 74- Preserve GuardDuty findings and AWS Config snapshots for correlation.  
 75
 76**Scoping and investigation**
 77- Search CloudTrail for subsequent use of the affected user’s credentials.  
 78  Look for newly created keys, S3 access, or changes to IAM trust policies.  
 79- Review other accounts for similar policy attachment attempts from the same user or IP.  
 80
 81**Recovery and hardening**
 82- Reinforce least privilege by granting only role-based admin access instead of direct user-level AdministratorAccess.  
 83- Implement IAM service control policies (SCPs) to prevent attachment of `AdministratorAccess` except for trusted roles.  
 84- Enable CloudTrail, GuardDuty, and Security Hub across all regions.  
 85- Regularly audit IAM policy attachments through AWS Config or CloudFormation drift detection.  
 86
 87### Additional information
 88
 89- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/): response steps related to IAM policy modification and unauthorized privilege escalation.  
 90- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/):** for containment, analysis, and recovery guidance.  
 91- **AWS Documentation:** [AdministratorAccess Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator).  
 92- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).  
 93"""
 94references = [
 95    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html",
 96    "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html",
 97    "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/",
 98]
 99risk_score = 47
100rule_id = "9aa4be8d-5828-417d-9f54-7cd304571b24"
101severity = "medium"
102tags = [
103    "Domain: Cloud",
104    "Data Source: AWS",
105    "Data Source: Amazon Web Services",
106    "Data Source: AWS IAM",
107    "Use Case: Identity and Access Audit",
108    "Tactic: Privilege Escalation",
109    "Tactic: Persistence",
110    "Resources: Investigation Guide",
111]
112timestamp_override = "event.ingested"
113type = "eql"
114
115query = '''
116iam where event.dataset == "aws.cloudtrail"
117   and event.provider == "iam.amazonaws.com"
118   and event.action == "AttachUserPolicy"
119   and event.outcome == "success"
120   and stringContains(aws.cloudtrail.request_parameters, "policyArn=arn:aws:iam::aws:policy/AdministratorAccess")
121'''
122
123
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126[[rule.threat.technique]]
127id = "T1098"
128name = "Account Manipulation"
129reference = "https://attack.mitre.org/techniques/T1098/"
130[[rule.threat.technique.subtechnique]]
131id = "T1098.003"
132name = "Additional Cloud Roles"
133reference = "https://attack.mitre.org/techniques/T1098/003/"
134
135
136
137[rule.threat.tactic]
138id = "TA0004"
139name = "Privilege Escalation"
140reference = "https://attack.mitre.org/tactics/TA0004/"
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1098"
145name = "Account Manipulation"
146reference = "https://attack.mitre.org/techniques/T1098/"
147[[rule.threat.technique.subtechnique]]
148id = "T1098.003"
149name = "Additional Cloud Roles"
150reference = "https://attack.mitre.org/techniques/T1098/003/"
151
152
153
154[rule.threat.tactic]
155id = "TA0003"
156name = "Persistence"
157reference = "https://attack.mitre.org/tactics/TA0003/"
158
159[rule.investigation_fields]
160field_names = [
161    "@timestamp",
162    "user.name",
163    "user_agent.original",
164    "source.ip",
165    "aws.cloudtrail.user_identity.arn",
166    "aws.cloudtrail.user_identity.type",
167    "aws.cloudtrail.user_identity.access_key_id",
168    "event.action",
169    "user.target.name",
170    "event.outcome",
171    "cloud.account.id",
172    "cloud.region",
173    "aws.cloudtrail.request_parameters",
174]