Managed Sentinel – Alert 012

Alert IDMS-A012
Alert NameChanges made to an AWS IAM policy
DescriptionIdentity and Access Management (IAM) enables to manage access to AWS services and resources securely. IAM service is where many of the security incidents will get reflected. This query looks for when an API call is made to change an IAM particularly those related to new policies being attached to users and roles as well as changes to access methods and changes to account level policies. In case these turn out to be noisy in some environments we can filter out the regular known ones.
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsPriviledge Escalation
Lateral Movement
Log sourcesAWS Cloud Trail
Recommendations1. Review the AWS policy change and understand if this change was internally approved by the change management board
2. If no, collect evidence based on AWS Cloud Trail logs
3. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.
4. Reverse change