AWS IAM Customer Managed Policy Version Created or Default Version Set

  1[metadata]
  2creation_date = "2026/04/08"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/04/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies successful IAM API calls that create a new customer managed policy version or set the default version for an
 11existing customer managed policy. Attackers with `iam:CreatePolicyVersion` or `iam:SetDefaultPolicyVersion` on a
 12privileged policy can introduce a permissive policy document and activate it, escalating effective permissions without
 13attaching a new policy. These APIs are high impact when the target policy is attached to powerful roles or users.
 14"""
 15false_positives = [
 16    """
 17    Infrastructure-as-code, CI/CD, and IAM administrators routinely publish new policy versions or roll back defaults.
 18    Validate the policy ARN, change tickets, and whether the policy document broadens permissions. Exclude automation
 19    roles or pipelines after review.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS IAM Customer Managed Policy Version Created or Default Version Set"
 27note = """## Triage and analysis
 28
 29### Investigating AWS IAM Customer Managed Policy Version Created or Default Version Set
 30
 31`CreatePolicyVersion` uploads a new immutable version of a customer managed policy. `SetDefaultPolicyVersion` switches
 32which version principals evaluate—immediately changing effective access if the policy is already attached.
 33
 34#### Possible investigation steps
 35
 36- From `aws.cloudtrail.request_parameters`, extract `policyArn`, `policyDocument` (if present), and `setAsDefault`.
 37- Map the policy ARN to attached users, groups, and roles; prioritize policies attached to admin or break-glass roles.
 38- Compare the new or selected version to prior versions in IAM or version history for added `Action`/`Resource` wildcards.
 39- Review `aws.cloudtrail.user_identity.arn`, `source.ip`, and `user_agent.original` for interactive vs automation context.
 40- Correlate with `AttachUserPolicy`, `AttachRolePolicy`, or `CreatePolicyVersion` spikes from the same principal.
 41
 42### False positive analysis
 43
 44- Planned policy releases and rollbacks are expected in mature shops; baseline known publishers.
 45
 46### Response and remediation
 47
 48- If malicious: set default to a known-good version, delete bad versions where supported, detach policy if necessary, and
 49  revoke excess `iam:*` on the actor.
 50
 51### Additional information
 52
 53- [CreatePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html)
 54- [SetDefaultPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html)
 55"""
 56references = [
 57    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html",
 58    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html",
 59    "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
 60]
 61risk_score = 47
 62rule_id = "d4e8f0a1-2b3c-4d5e-a6f7-8b9c0d1e2f3a"
 63severity = "medium"
 64tags = [
 65    "Domain: Cloud",
 66    "Domain: Identity",
 67    "Data Source: AWS",
 68    "Data Source: Amazon Web Services",
 69    "Data Source: AWS IAM",
 70    "Use Case: Threat Detection",
 71    "Tactic: Privilege Escalation",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "query"
 76
 77query = '''
 78event.dataset: "aws.cloudtrail"
 79    and event.provider: "iam.amazonaws.com"
 80    and event.action: ("CreatePolicyVersion" or "SetDefaultPolicyVersion")
 81    and event.outcome: "success"
 82    and not aws.cloudtrail.user_identity.type: "AWSService" 
 83    and not aws.cloudtrail.user_identity.arn:arn*/terraform 
 84    and not source.as.organization.name:(Amazon* or AMAZON* or "Google LLC" or "MongoDB, Inc.")
 85    and not source.address: ( "cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com")
 86'''
 87
 88[rule.investigation_fields]
 89field_names = [
 90    "@timestamp",
 91    "user.name",
 92    "user_agent.original",
 93    "source.ip",
 94    "aws.cloudtrail.user_identity.arn",
 95    "aws.cloudtrail.user_identity.type",
 96    "aws.cloudtrail.user_identity.access_key_id",
 97    "aws.cloudtrail.resources.arn",
 98    "aws.cloudtrail.resources.type",
 99    "event.action",
100    "event.outcome",
101    "cloud.account.id",
102    "cloud.region",
103    "aws.cloudtrail.request_parameters",
104    "aws.cloudtrail.response_elements",
105]
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109
110[[rule.threat.technique]]
111id = "T1098"
112name = "Account Manipulation"
113reference = "https://attack.mitre.org/techniques/T1098/"
114
115[[rule.threat.technique]]
116id = "T1548"
117name = "Abuse Elevation Control Mechanism"
118reference = "https://attack.mitre.org/techniques/T1548/"
119
120[[rule.threat.technique.subtechnique]]
121id = "T1548.005"
122name = "Temporary Elevated Cloud Access"
123reference = "https://attack.mitre.org/techniques/T1548/005/"
124
125[rule.threat.tactic]
126id = "TA0004"
127name = "Privilege Escalation"
128reference = "https://attack.mitre.org/tactics/TA0004/"