Triggers
- Apply a highly permissive inline policy (i.e. “:” or “:”) to a user, role, or group.
Possible Root Causes
- An attacker is changing the permissions of a user, role, or group to enable them to leverage those permissions to gain additional or persistent access to the environment.
- An administrator has been granted highly permissive policies to enable them complete access to the environment.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Review whether this account should have access to the console for their normal duties.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.