Identity and Access Management (IAM) enables to manage access to AWS services and resources securely. IAM service is where many of the security incidents will get reflected. This query looks for when an API call is made to change an IAM particularly those related to new policies being attached to users and roles as well as changes to access methods and changes to account level policies. In case these turn out to be noisy in some environments we can filter out the regular known ones.
MITRE ATT&CK Tactics
AWS Cloud Trail
1. Review the AWS policy change and understand if this change was internally approved by the change management board
2. If no, collect evidence based on AWS Cloud Trail logs
3. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.
4. Reverse change