AWS IAM Inline Policy Added to a Group

Jun 26, 2026 · Domain: Cloud Domain: Identity Data Source: AWS Data Source: Amazon Web Services Data Source: AWS IAM Use Case: Threat Detection Tactic: Privilege Escalation Tactic: Persistence Resources: Investigation Guide ·

Share on:

Identifies an inline policy added to an IAM group via PutGroupPolicy. An inline policy attached to a group grants its permissions to every current and future member of that group. Adversaries can abuse this to escalate privileges (grant elevated permissions to a group they belong to, or will add themselves to) and to establish persistence through a durable, membership-based grant that is easy to overlook. Group inline policies are uncommon compared to managed-policy attachments, so their creation by an unexpected principal warrants review.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an inline policy added to an IAM group via PutGroupPolicy. An inline policy attached to a group grants its
 11permissions to every current and future member of that group. Adversaries can abuse this to escalate privileges (grant
 12elevated permissions to a group they belong to, or will add themselves to) and to establish persistence through a
 13durable, membership-based grant that is easy to overlook. Group inline policies are uncommon compared to managed-policy
 14attachments, so their creation by an unexpected principal warrants review.
 15"""
 16false_positives = [
 17    """
 18    Identity and platform teams and infrastructure-as-code pipelines occasionally manage group inline policies as part
 19    of normal access governance. Verify the principal in `aws.cloudtrail.user_identity.arn`, the targeted group, and the
 20    policy document against approved change records. Known administration roles and deployment automation can be
 21    excluded after validation.
 22    """,
 23]
 24from = "now-6m"
 25index = ["logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS IAM Inline Policy Added to a Group"
 29note = """## Triage and analysis
 30
 31### Investigating AWS IAM Inline Policy Added to a Group
 32
 33`PutGroupPolicy` embeds an inline permissions policy directly on an IAM group. Because the policy applies to all members of the group, it is an effective way to broadly grant permissions — and, for an adversary, to escalate privileges or persist while drawing less attention than attaching a well-known managed policy such as `AdministratorAccess`. Group inline policies are relatively rare, which makes their creation a useful signal.
 34
 35### Possible investigation steps
 36
 37- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to determine how the change was made.
 38- Inspect `aws.cloudtrail.request_parameters` for the targeted `groupName`, the `policyName`, and the `policyDocument` to assess what permissions were granted (look for broad `Action`/`Resource` of `*`, IAM, or data-access permissions).
 39- Enumerate the group's current members to understand who immediately gains the new permissions, and whether the actor is or could become a member.
 40- Confirm whether the change aligns with an approved access request, onboarding, or deployment.
 41- Correlate with recent activity by the same principal, such as group creation, adding users to the group, or other IAM modifications that may form an escalation chain.
 42
 43### False positive analysis
 44
 45- Approved access governance and infrastructure-as-code may add group inline policies. Confirm the change is expected and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation.
 46
 47### Response and remediation
 48
 49- If the change is unauthorized, remove the inline policy from the group (`DeleteGroupPolicy`) and review which members used the granted permissions while it was in place.
 50- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:PutGroupPolicy` to a small set of trusted administrators.
 51
 52### Additional information
 53
 54- [IAM identity-based policies (inline)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html)
 55- [PutGroupPolicy API](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html)
 56"""
 57references = [
 58    "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html",
 59    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html",
 60]
 61risk_score = 47
 62rule_id = "87f8141e-4275-4d49-9e76-d215b4614a0b"
 63severity = "medium"
 64tags = [
 65    "Domain: Cloud",
 66    "Domain: Identity",
 67    "Data Source: AWS",
 68    "Data Source: Amazon Web Services",
 69    "Data Source: AWS IAM",
 70    "Use Case: Threat Detection",
 71    "Tactic: Privilege Escalation",
 72    "Tactic: Persistence",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "query"
 77
 78query = '''
 79data_stream.dataset: "aws.cloudtrail"
 80    and event.provider: "iam.amazonaws.com"
 81    and event.action: "PutGroupPolicy"
 82    and event.outcome: "success"
 83    and not aws.cloudtrail.user_identity.type: "AWSService"
 84    and not user_agent.original: (*terraform* or *pulumi* or *ansible*)
 85    and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*)
 86    and not source.as.organization.name: (Amazon* or AMAZON* or Google*)
 87    and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com")
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93
 94[[rule.threat.technique]]
 95id = "T1098"
 96name = "Account Manipulation"
 97reference = "https://attack.mitre.org/techniques/T1098/"
 98
 99[rule.threat.tactic]
100id = "TA0004"
101name = "Privilege Escalation"
102reference = "https://attack.mitre.org/tactics/TA0004/"
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[[rule.threat.technique]]
108id = "T1098"
109name = "Account Manipulation"
110reference = "https://attack.mitre.org/techniques/T1098/"
111[[rule.threat.technique.subtechnique]]
112id = "T1098.003"
113name = "Additional Cloud Roles"
114reference = "https://attack.mitre.org/techniques/T1098/003/"
115[rule.threat.tactic]
116id = "TA0003"
117name = "Persistence"
118reference = "https://attack.mitre.org/tactics/TA0003/"
119
120[rule.investigation_fields]
121field_names = [
122    "@timestamp",
123    "user.name",
124    "user_agent.original",
125    "source.ip",
126    "aws.cloudtrail.user_identity.arn",
127    "aws.cloudtrail.user_identity.type",
128    "aws.cloudtrail.user_identity.access_key_id",
129    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
130    "aws.cloudtrail.request_parameters",
131    "aws.cloudtrail.response_elements",
132    "event.action",
133    "event.outcome",
134    "cloud.account.id",
135    "cloud.region",
136]

Triage and analysis

Investigating AWS IAM Inline Policy Added to a Group

PutGroupPolicy embeds an inline permissions policy directly on an IAM group. Because the policy applies to all members of the group, it is an effective way to broadly grant permissions — and, for an adversary, to escalate privileges or persist while drawing less attention than attaching a well-known managed policy such as AdministratorAccess. Group inline policies are relatively rare, which makes their creation a useful signal.

Possible investigation steps

Identify the actor in aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type, and aws.cloudtrail.user_identity.session_context.session_issuer.arn, and review source.ip / user_agent.original to determine how the change was made.
Inspect aws.cloudtrail.request_parameters for the targeted groupName, the policyName, and the policyDocument to assess what permissions were granted (look for broad Action/Resource of *, IAM, or data-access permissions).
Enumerate the group's current members to understand who immediately gains the new permissions, and whether the actor is or could become a member.
Confirm whether the change aligns with an approved access request, onboarding, or deployment.
Correlate with recent activity by the same principal, such as group creation, adding users to the group, or other IAM modifications that may form an escalation chain.

False positive analysis

Approved access governance and infrastructure-as-code may add group inline policies. Confirm the change is expected and exclude known administration roles or automation on aws.cloudtrail.user_identity.arn after validation.

Response and remediation

If the change is unauthorized, remove the inline policy from the group (DeleteGroupPolicy) and review which members used the granted permissions while it was in place.
Rotate or restrict credentials for the principal if compromise is suspected, and constrain iam:PutGroupPolicy to a small set of trusted administrators.

Additional information

References

Managed policies and inline policies - AWS Identity and Access Management

Learn the differences between an AWS managed policy, a customer managed policy, and an inline policy.

Read More
PutGroupPolicy - AWS Identity and Access Management

Adds or updates an inline policy document that is embedded in the specified IAM group.

Read More