Malicious scenario: Attacker probing IAM roles
An attacker compromises AWS access keys through phishing and begins querying IAM roles and attached policies using ListRoles
and GetRolePolicy
. This detection triggers, highlighting the reconnaissance activity before the attacker identifies and exploits a vulnerable privilege escalation path.
Benign scenario: Admin performing compliance checks
A cloud administrator conducts an IAM policy review to identify and clean up overly permissive roles. The admin uses AWS CLI to query policies and roles for a detailed audit. This legitimate activity triggers the detection due to its similarity to attacker reconnaissance.