AWS Suspect Admin Privilege Granting
Detection overview
Triggers
- Apply a highly permissive inline policy (i.e. “:” or “:”) to a user, role, or group.
Possible Root Causes
- An attacker is changing the permissions of a user, role, or group to enable them to leverage those permissions to gain additional or persistent access to the environment.
- An administrator has been granted highly permissive policies to enable them complete access to the environment.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Review whether this account should have access to the console for their normal duties.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.
AWS Suspect Admin Privilege Granting
Possible root causes
Malicious Detection
Benign Detection
AWS Suspect Admin Privilege Granting
Example scenarios
AWS Suspect Admin Privilege Granting
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
AWS Suspect Admin Privilege Granting
Steps to investigate
AWS Suspect Admin Privilege Granting
MITRE ATT&CK techniques covered
AWS Suspect Admin Privilege Granting
Related detections
No items found.