AWS Suspect Admin Privilege Granting

View all detections
AWS Suspect Admin Privilege Granting

Triggers

  • Apply a highly permissive inline policy (i.e. “:” or “:”) to a user, role, or group.

Possible Root Causes

  • An attacker is changing the permissions of a user, role, or group to enable them to leverage those permissions to gain additional or persistent access to the environment.
  • An administrator has been granted highly permissive policies to enable them complete access to the environment.

Business Impact

  • Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Review whether this account should have access to the console for their normal duties.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.