Detect IAM Privilege Escalation in AWS CloudTrail
MITRE ATT&CK: T1098T1078.004T1484
Sigma Rule
title: AWS IAM Privilege Escalation via Policy Modification
id: 9d2b4f60-7c11-4e83-bb6a-5e1a9f3c7d02
status: experimental
description: >
Detects IAM actions commonly chained for privilege escalation — attaching a
managed policy to a user, injecting an inline policy, creating a new policy
version, or weakening the account password policy. Alerting fidelity is highest
when scoped to principals that do not normally perform IAM administration.
references:
- https://attack.mitre.org/techniques/T1098/
author: LogTriage
date: 2026/06/22
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'AttachUserPolicy'
- 'AttachRolePolicy'
- 'PutUserPolicy'
- 'PutRolePolicy'
- 'CreatePolicyVersion'
- 'CreatePolicy'
- 'DeleteAccountPasswordPolicy'
- 'UpdateAssumeRolePolicy'
filter_known_admins:
userIdentity.arn|contains:
- ':role/PlatformAdmin'
- ':role/iam-ci'
condition: selection and not filter_known_admins
falsepositives:
- Sanctioned IAM administration by platform/CI roles (add them to filter_known_admins)
- Landing-zone / account bootstrap provisioning
level: high
tags:
- attack.privilege_escalation
- attack.persistence
- attack.t1098
What this rule detects
In AWS, privilege escalation usually means an identity granting itself (or a controlled identity) permissions beyond its intended scope. In CloudTrail that shows up as a small set of IAM-modifying API calls — attaching a managed policy, injecting an inline policy, creating a new policy version, or weakening the account password policy — performed by a principal that has no business doing IAM administration.
This Sigma rule fires on those iam.amazonaws.com event names except when the caller is a
known platform/CI admin role (the filter_known_admins allowlist you maintain).
Detection logic
The durable pattern here is “allowlist the admins, flag the rest.” Trying to enumerate every
malicious IAM sequence is a losing game; instead, the rule treats sensitive IAM writes as
alert-worthy from any principal outside your sanctioned IAM-administration roles. Populate
filter_known_admins with your real IAM team and CI roles.
For higher confidence, look at the sequence: privilege escalation commonly chains
AssumeRole → AttachUserPolicy/PutUserPolicy → CreateAccessKey. LogTriage groups a
principal’s events into a session and maps the chain to ATT&CK
so the whole escalation reads as one incident.
Validated against a real sample
Validated against cloudtrail_iam_escalation.json (shipped with LogTriage), which contains an
AssumeRole followed by AttachUserPolicy, CreatePolicy, and DeleteAccountPasswordPolicy from
a compromised contractor identity. The rule fires on that sample and stays silent on the matching
benign operations log.
False positives
Your IAM team and CI/CD pipelines legitimately perform these actions — that’s exactly what
filter_known_admins is for. Account bootstrap and landing-zone provisioning can also trip it;
scope by account and time window during known provisioning events.
Frequently Asked Questions
- Why include CreatePolicy and DeleteAccountPasswordPolicy — aren't those normal admin actions?
- They're normal for your IAM team, which is why the rule filters known admin/CI principals. From any other identity — an EC2 instance role, a developer key, a freshly assumed role — attaching policies or weakening the password policy is a classic escalation/persistence step worth alerting on.
- How do I cut false positives without missing real escalation?
- Populate filter_known_admins with the ARNs/roles that legitimately administer IAM, and alert on everything else. This 'allowlist the admins, flag the rest' approach is far more durable than trying to enumerate every malicious pattern.
- Does the order of events matter?
- For high confidence, yes — escalation often chains AssumeRole → AttachUserPolicy → CreateAccessKey. LogTriage groups a principal's CloudTrail events into a session and maps the chain to MITRE ATT&CK so you see the whole story, not isolated API calls.
Related Resources
See this detection run on a real report
Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.