AWS Identity and Access Management (IAM) AWS-iam

61 operations, identified by eventName in the audit log.

eventName	Description
_catch_all	Catch-all entry for AWS-iam rules that match the service but not a specific eventName.
AddRoleToInstanceProfile	Associates an IAM role with an EC2 instance profile, allowing EC2 instances launched with that profile to assume the role.
AddUserToGroup	Adds an IAM user to the specified IAM group, granting the user the permissions attached to that group.
AssumeRoleWithSAML	Returns temporary security credentials for users authenticated via a SAML 2.0-compliant identity provider, enabling federated access to AWS.
AttachGroupPolicy	Attaches a managed IAM policy to an IAM group, granting the group's users the permissions defined in the policy.
AttachRolePolicy	Attaches a managed IAM policy to an IAM role, adding the policy's permissions to the role.
AttachUserPolicy	Attaches a managed IAM policy directly to an IAM user, granting that user the permissions defined in the policy.
CreateAccessKey	Creates a new AWS access key pair (access key ID and secret access key) for the specified IAM user.
CreateGroup	Creates a new IAM group to which IAM users can be added to share a common set of permissions.
CreateInstanceProfile	Creates a new IAM instance profile, a container that can hold one IAM role and is used to pass role information to EC2 instances.
CreateLoginProfile	Creates a password for the specified IAM user, enabling console sign-in for that user.
CreateOpenIDConnectProvider	Creates an IAM entity that describes an identity provider (IdP) supporting OpenID Connect (OIDC), enabling federated identity for AWS.
CreatePolicyVersion	Creates a new version of a managed IAM policy, allowing the policy document to be updated while retaining prior versions.
CreateRole	Creates a new IAM role with a specified trust policy, defining which principals can assume the role.
CreateSAMLProvider	Creates an IAM resource that describes an identity provider supporting SAML 2.0, enabling federated users to sign in to AWS.
CreateUser	Creates a new IAM user in the AWS account with a specified user name.
DeactivateMFADevice	Deactivates an MFA device previously associated with an IAM user, removing the MFA requirement for that user.
DeleteGroup	Deletes an IAM group, which must not have any users or attached policies before deletion.
DeleteSAMLProvider	Deletes a SAML provider resource object in IAM, removing the federated identity configuration.
DescribeOrganization	Returns information about the AWS organization that the current account belongs to, including its master account and feature set.
DescribeOrgnanizationalUnit	Returns details about an organizational unit (OU) in AWS Organizations, including its ID, ARN, and name.
DescribeResourcePolicy	Returns the resource-based policy attached to the specified AWS Organizations resource.
GetAccountSummary	Retrieves a summary of IAM entity usage and quotas for the current AWS account.
GetLoginProfile	Retrieves the console login profile (password metadata) for the specified IAM user, excluding the password itself.
ListAccessKeys	Returns metadata about the access keys associated with a specified IAM user, including key IDs, status, and creation dates.
ListAccountAliases	Lists the alias associated with the current AWS account, if any.
ListAccounts	Lists all AWS accounts in the organization, returning each account's ID, name, email, and status.
ListAccountsForParent	Lists the child accounts directly under the specified parent root or organizational unit in AWS Organizations.
ListAWSServiceAccessForOrganization	Lists the AWS services for which service-level trusted access is currently enabled in AWS Organizations.
ListDelegatedAdministrators	Lists the AWS accounts designated as delegated administrators for the specified service principal in AWS Organizations.
ListDelegatedServicesForAccount	Lists the services for which the specified account is a delegated administrator in AWS Organizations.
ListGroups	Returns a paginated list of IAM groups in the current AWS account.
ListMFADevices	Returns a list of MFA devices associated with an IAM user, or all virtual MFA devices in the account when no user is specified.
ListOrganizationalUnitsForParent	Lists the organizational units (OUs) that are directly under the specified parent root or OU in AWS Organizations.
ListPolicies	Lists IAM policies, with filters available to scope results to AWS-managed, customer-managed, or locally attached policies.
ListRoles	Returns a paginated list of IAM roles in the current AWS account, optionally filtered by path prefix.
ListRoots	Lists the roots in the current AWS organization, returning the root ID, ARN, name, and policy types enabled for that root.
ListUsers	Returns a paginated list of IAM users in the current AWS account, optionally filtered by path prefix.
PutRolePolicy	Creates or updates an inline policy document embedded directly in the specified IAM role.
PutUserPolicy	Creates or updates an inline policy document embedded directly in the specified IAM user.
SetDefaultPolicyVersion	Sets the specified version of a managed IAM policy as the default active version for the policy.
UpdateAssumeRolePolicy	Updates the trust policy (assume-role policy document) for an IAM role, changing which principals are permitted to assume it.
UpdateLoginProfile	Changes the password of the console login profile for the specified IAM user.
UpdateSAMLProvider	Updates the metadata document for an existing SAML provider in IAM.
CreateVirtualMFADevice	Creates a new virtual MFA device and returns the QR code seed for enrollment.
DeleteAccountPasswordPolicy	Deletes the password policy for the AWS account, reverting to default password requirements.
DeleteLoginProfile	Deletes the password-based login profile for an IAM user, preventing console sign-in.
DeleteVirtualMFADevice	Deletes a virtual MFA device, permanently removing it from the account.
EnableMFADevice	Associates and activates a virtual or hardware MFA device for an IAM user.
GetAccountAuthorizationDetails	Retrieves information about all IAM users, groups, roles, and policies in the account, including their relationships.
GetCredentialReport	Retrieves the credential report for the account, listing all IAM users and the status of their credentials.
GetPolicy	Retrieves metadata about a managed IAM policy, including its ARN, default version, and attachment count.
GetPolicyVersion	Retrieves the policy document for a specific version of a managed IAM policy.
GetRole	Retrieves metadata about an IAM role, including its trust policy and attached managed policies.
GetRolePolicy	Retrieves the inline policy document embedded in an IAM role.
GetUser	Retrieves metadata about an IAM user, including path, user ID, ARN, and creation date.
GetUserPolicy	Retrieves the inline policy document embedded in an IAM user.
ListAttachedRolePolicies	Lists all managed policies attached to a specified IAM role.
ListAttachedUserPolicies	Lists all managed policies attached to a specified IAM user.
ListUserPolicies	Lists the names of inline policies embedded in a specified IAM user.
UpdateAccountPasswordPolicy	Updates the password policy for the AWS account, setting requirements such as minimum length, complexity, and expiration.

_catch_all: AWS-iam (catch-all)

Service: AWS-iam

Description

Catch-all entry for AWS-iam rules that match the service but not a specific eventName.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`iam.amazonaws.com`	3 rules	elastic
`aws::userIdentity.accessKeyId`	starts_with	`ASIA`	1 rule	elastic
`aws::userIdentity.type`	eq	`IAMUser`	1 rule	elastic, panther, sigma
`user.id`	contains	`:i-`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS CloudTrail Log Evasion source medium: Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true.
AWS IAM API Calls via Temporary Session Tokens source low: Detects sensitive AWS IAM API operations executed using temporary session credentials (access key IDs beginning with "ASIA"). Temporary credentials are commonly issued through sts:GetSessionToken, sts:AssumeRole, or AWS SSO logins and are meant for short-term use. It is unusual for legitimate users or automated processes to perform privileged IAM actions (e.g., creating users, updating policies, or enabling/disabling MFA) with session tokens. This behavior may indicate credential theft, session hijacking, or the abuse of a privileged role’s temporary credentials.
AWS EC2 Instance Interaction with IAM Service source low: Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern "i-" which is the beginning pattern for assumed role sessions started by an EC2 instance. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.

AddRoleToInstanceProfile

Service: AWS-iam

Description

Associates an IAM role with an EC2 instance profile, allowing EC2 instances launched with that profile to assume the role.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`AddRoleToInstanceProfile`	2 rules	elastic
`EventType`	in	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AttachUserPolicy`	2 rules	elastic
`EventType`	in	`CreateAccessKey`	2 rules	elastic
`EventType`	in	`CreateInstanceProfile`	2 rules	elastic
`EventType`	in	`CreateRole`	2 rules	elastic
`EventType`	in	`CreateUser`	2 rules	elastic
`EventType`	in	`PutRolePolicy`	2 rules	elastic
`EventType`	in	`PutUserPolicy`	2 rules	elastic
`aws::userIdentity.type`	eq	`AssumedRole`	1 rule	elastic, kusto, panther, sigma

Detection Rules #

View all rules referencing this event →

Elastic #

AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddUserToGroup, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy

AddUserToGroup

Service: AWS-iam

Description

Adds an IAM user to the specified IAM group, granting the user the permissions attached to that group.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`iam.amazonaws.com`	2 rules	elastic
`aws::userIdentity.type`	eq	`AssumedRole`	1 rule	elastic, kusto, panther, sigma

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM User Addition to Group source low: Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). Any user added to a group automatically gains the permissions that are assigned to the group. If the target group carries elevated or admin privileges, this action can instantly grant high-risk permissions useful for credential misuse, lateral movement, or privilege escalation.
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy

AssumeRoleWithSAML

Service: AWS-iam

Description

Returns temporary security credentials for users authenticated via a SAML 2.0-compliant identity provider, enabling federated access to AWS.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

AttachGroupPolicy

Service: AWS-iam

Description

Attaches a managed IAM policy to an IAM group, granting the group's users the permissions defined in the policy.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`AttachGroupPolicy`	2 rules	sigma
`aws::eventName`	eq	`AttachRolePolicy`	2 rules	sigma
`aws::eventName`	eq	`AttachUserPolicy`	2 rules	sigma
`aws::eventSource`	eq	`iam.amazonaws.com`	2 rules	panther, sigma, splunk
`SubjectUserName`	regex_match	`\/i-.*$`	1 rule	chronicle
`aws::errorCode`	eq	`AccessDenied`	1 rule	elastic, panther, sigma, splunk
`aws::requestParameters`	contains	`policyarn=arn:aws:iam::aws:policy/administratoraccess`	1 rule	elastic
`aws::userIdentity.type`	eq	`AssumedRole`	1 rule	elastic, kusto, panther, sigma
`principal.resource.type`	eq	`AssumedRole`	1 rule	chronicle
`target.application`	eq	`iam.amazonaws.com`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Sigma #

IAM Policy Attachment Attempt source medium: Detects a failed attempt to attach an IAM policy to a user, group, or role. Even though the attempt was denied, it indicates the attacker has valid credentials and is attempting privilege escalation. This is commonly observed when attackers use stolen credentials that lack IAM write permissions. Note: AccessDenied events may have empty requestParameters, so this rule does not filter by policy name to avoid missing detections.↳ also matches AttachRolePolicy, AttachUserPolicy
IAM Admin Policy Attached source critical: Detects when an administrative IAM policy (AdministratorAccess, PowerUserAccess, or IAMFullAccess) is attached to a user, group, or role. This is a privilege escalation technique where an attacker elevates permissions of a compromised or newly created principal to gain full control of the AWS account.↳ also matches AttachRolePolicy, AttachUserPolicy

Elastic #

AWS IAM AdministratorAccess Policy Attached to Group source medium: An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM AttachGroupPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user group.
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy

YARA-L #

AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateGroup, CreateLoginProfile, CreateRole, CreateUser, UpdateLoginProfile
AWS IAM Administrator Access Policy Attached source: Detects when AWS IAM AdministratorAccess policy is attached to a user, group or role which can be used for privilege escalation.↳ also matches AttachRolePolicy, AttachUserPolicy
AWS IAM Compromised Key Quarantine Policy Attached source: Detect when the AWS managed policy AWSCompromisedKeyQuarantine has been attached to a user, role, or group. It is applied by the AWS team in the event that the credentials of an IAM user has been compromised or publicly exposed.↳ also matches AttachRolePolicy, AttachUserPolicy

AttachRolePolicy

Service: AWS-iam

Description

Attaches a managed IAM policy to an IAM role, adding the policy's permissions to the role.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`iam.amazonaws.com`	4 rules	elastic
`event.outcome`	eq	`success`	4 rules	elastic
`EventType`	eq	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AddRoleToInstanceProfile`	2 rules	elastic
`EventType`	in	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AttachUserPolicy`	2 rules	elastic
`EventType`	in	`CreateAccessKey`	2 rules	elastic
`EventType`	in	`CreateInstanceProfile`	2 rules	elastic
`EventType`	in	`CreateRole`	2 rules	elastic
`EventType`	in	`CreateUser`	2 rules	elastic
`EventType`	in	`PutRolePolicy`	2 rules	elastic
`EventType`	in	`PutUserPolicy`	2 rules	elastic
`aws::eventName`	eq	`AttachGroupPolicy`	2 rules	sigma
`aws::eventName`	eq	`AttachRolePolicy`	2 rules	sigma
`aws::eventName`	eq	`AttachUserPolicy`	2 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

IAM Policy Attachment Attempt source medium: Detects a failed attempt to attach an IAM policy to a user, group, or role. Even though the attempt was denied, it indicates the attacker has valid credentials and is attempting privilege escalation. This is commonly observed when attackers use stolen credentials that lack IAM write permissions. Note: AccessDenied events may have empty requestParameters, so this rule does not filter by policy name to avoid missing detections.↳ also matches AttachGroupPolicy, AttachUserPolicy
IAM Admin Policy Attached source critical: Detects when an administrative IAM policy (AdministratorAccess, PowerUserAccess, or IAMFullAccess) is attached to a user, group, or role. This is a privilege escalation technique where an attacker elevates permissions of a compromised or newly created principal to gain full control of the AWS account.↳ also matches AttachGroupPolicy, AttachUserPolicy

Elastic #

AWS IAM AdministratorAccess Policy Attached to Role source medium: An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM AttachRolePolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM role.
AWS IAM Customer-Managed Policy Attached to Role by Rare User source low: Detects when an AWS Identity and Access Management (IAM) customer-managed policy is attached to a role by an unusual or unauthorized user. Customer-managed policies are policies created and controlled within an AWS account, granting specific permissions to roles or users when attached. This rule identifies potential privilege escalation by flagging cases where a customer-managed policy is attached to a role by an unexpected actor, which could signal unauthorized access or misuse. Attackers may attach policies to roles to expand permissions and elevate their privileges within the AWS environment. This is a New Terms rule that uses the "cloud.account.id", "user.name" and "entity.target.id" fields to check if the combination of the actor identity and target role name has not been seen before.
AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AddRoleToInstanceProfile, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy

Show 1 more (4 total)

AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachGroupPolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy

YARA-L #

AWS IAM Administrator Access Policy Attached source: Detects when AWS IAM AdministratorAccess policy is attached to a user, group or role which can be used for privilege escalation.↳ also matches AttachGroupPolicy, AttachUserPolicy
AWS IAM Compromised Key Quarantine Policy Attached source: Detect when the AWS managed policy AWSCompromisedKeyQuarantine has been attached to a user, role, or group. It is applied by the AWS team in the event that the credentials of an IAM user has been compromised or publicly exposed.↳ also matches AttachGroupPolicy, AttachUserPolicy
AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachGroupPolicy, AttachUserPolicy, CreateAccessKey, CreateGroup, CreateLoginProfile, CreateRole, CreateUser, UpdateLoginProfile

AttachUserPolicy

Service: AWS-iam

Description

Attaches a managed IAM policy directly to an IAM user, granting that user the permissions defined in the policy.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`iam.amazonaws.com`	3 rules	elastic
`EventType`	eq	`AttachUserPolicy`	1 rule	elastic
`EventType`	in	`AddRoleToInstanceProfile`	2 rules	elastic
`EventType`	in	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AttachUserPolicy`	2 rules	elastic
`EventType`	in	`CreateAccessKey`	2 rules	elastic
`EventType`	in	`CreateInstanceProfile`	2 rules	elastic
`EventType`	in	`CreateRole`	2 rules	elastic
`EventType`	in	`CreateUser`	2 rules	elastic
`EventType`	in	`PutRolePolicy`	2 rules	elastic
`EventType`	in	`PutUserPolicy`	2 rules	elastic
`aws::eventName`	eq	`AttachGroupPolicy`	2 rules	sigma
`aws::eventName`	eq	`AttachRolePolicy`	2 rules	sigma
`aws::eventName`	eq	`AttachUserPolicy`	2 rules	sigma
`aws::eventSource`	eq	`iam.amazonaws.com`	2 rules	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

IAM Policy Attachment Attempt source medium: Detects a failed attempt to attach an IAM policy to a user, group, or role. Even though the attempt was denied, it indicates the attacker has valid credentials and is attempting privilege escalation. This is commonly observed when attackers use stolen credentials that lack IAM write permissions. Note: AccessDenied events may have empty requestParameters, so this rule does not filter by policy name to avoid missing detections.↳ also matches AttachGroupPolicy, AttachRolePolicy
IAM Admin Policy Attached source critical: Detects when an administrative IAM policy (AdministratorAccess, PowerUserAccess, or IAMFullAccess) is attached to a user, group, or role. This is a privilege escalation technique where an attacker elevates permissions of a compromised or newly created principal to gain full control of the AWS account.↳ also matches AttachGroupPolicy, AttachRolePolicy

Elastic #

AWS IAM AdministratorAccess Policy Attached to User source medium: An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM AttachUserPolicy API operation to attach the highly permissive AdministratorAccess AWS managed policy to an existing IAM user.
AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AddRoleToInstanceProfile, AttachRolePolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachGroupPolicy, AttachRolePolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy

YARA-L #

AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachGroupPolicy, AttachRolePolicy, CreateAccessKey, CreateGroup, CreateLoginProfile, CreateRole, CreateUser, UpdateLoginProfile
AWS IAM Administrator Access Policy Attached source: Detects when AWS IAM AdministratorAccess policy is attached to a user, group or role which can be used for privilege escalation.↳ also matches AttachGroupPolicy, AttachRolePolicy
AWS IAM Compromised Key Quarantine Policy Attached source: Detect when the AWS managed policy AWSCompromisedKeyQuarantine has been attached to a user, role, or group. It is applied by the AWS team in the event that the credentials of an IAM user has been compromised or publicly exposed.↳ also matches AttachGroupPolicy, AttachRolePolicy

CreateAccessKey

Service: AWS-iam

Description

Creates a new AWS access key pair (access key ID and secret access key) for the specified IAM user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`CreateAccessKey`	4 rules	kusto, panther, sigma, splunk
`aws::eventSource`	eq	`iam.amazonaws.com`	4 rules	panther, sigma, splunk
`security_result.action`	eq	`ALLOW`	4 rules	chronicle
`Provider_Name`	eq	`iam.amazonaws.com`	3 rules	elastic
`EventType`	in	`AddRoleToInstanceProfile`	2 rules	elastic
`EventType`	in	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AttachUserPolicy`	2 rules	elastic
`EventType`	in	`CreateAccessKey`	2 rules	elastic
`EventType`	in	`CreateInstanceProfile`	2 rules	elastic
`EventType`	in	`CreateRole`	2 rules	elastic
`EventType`	in	`CreateUser`	2 rules	elastic
`EventType`	in	`PutRolePolicy`	2 rules	elastic
`EventType`	in	`PutUserPolicy`	2 rules	elastic
`target.application`	eq	`iam.amazonaws.com`	2 rules	chronicle
`SubjectUserName`	regex_match	`\/i-.*$`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Sigma #

AWS IAM Backdoor Users Keys source medium: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
AWS IAM S3Browser User or AccessKey Creation source high: Detects S3 Browser utility creating IAM User or AccessKey.↳ also matches CreateUser
IAM Access Key Creation Attempt source medium: Detects a failed attempt to create an IAM access key (AccessDenied). Even though the attempt failed, it indicates the attacker has valid credentials and is attempting persistence via access key creation.

Show 1 more (4 total)

IAM Access Key Created source medium: Detects when an IAM access key is created via CreateAccessKey. Attackers create access keys for persistence after compromising an account, often targeting an existing user or a newly created backdoor user. Note: This is different from CreateApiKey (AppSync/API Gateway).

Elastic #

AWS IAM User Created Access Keys For Another User source medium: An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM CreateAccessKey API operation to create new programmatic access keys for another IAM user.
AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AddRoleToInstanceProfile, AttachRolePolicy, AttachUserPolicy, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy

YARA-L #

AWS Privilege Escalation Using IAM Access Key source: Detect when a user creates a new access key for another user and escalates privileges using this newly created access key from the same IP.
AWS User Creates Permanent Access Key source: Detects when an AWS IAM user creates an AWS Access Key for programmatic calls.
AWS IAM Activity By S3 Browser Utility source: Detect AWS IAM activities associated with the S3 Browser utility.↳ also matches CreateLoginProfile, CreateUser, PutUserPolicy

Show 1 more (4 total)

AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateGroup, CreateLoginProfile, CreateRole, CreateUser, UpdateLoginProfile

CreateGroup

Service: AWS-iam

Description

Creates a new IAM group to which IAM users can be added to share a common set of permissions.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`SubjectUserName`	regex_match	`\/i-.*$`	1 rule	chronicle
`principal.resource.type`	eq	`AssumedRole`	1 rule	chronicle
`target.application`	eq	`iam.amazonaws.com`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM Group Creation source low: Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. Adversaries who obtain credentials with IAM write privileges may create a new group as a foothold for persistence: they can later attach admin-level policies to the group and quietly add users or roles to inherit those privileges.

YARA-L #

AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateLoginProfile, CreateRole, CreateUser, UpdateLoginProfile

CreateInstanceProfile

Service: AWS-iam

Description

Creates a new IAM instance profile, a container that can hold one IAM role and is used to pass role information to EC2 instances.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`AddRoleToInstanceProfile`	2 rules	elastic
`EventType`	in	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AttachUserPolicy`	2 rules	elastic
`EventType`	in	`CreateAccessKey`	2 rules	elastic
`EventType`	in	`CreateInstanceProfile`	2 rules	elastic
`EventType`	in	`CreateRole`	2 rules	elastic
`EventType`	in	`CreateUser`	2 rules	elastic
`EventType`	in	`PutRolePolicy`	2 rules	elastic
`EventType`	in	`PutUserPolicy`	2 rules	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AddRoleToInstanceProfile, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateRole, CreateUser, PutRolePolicy, PutUserPolicy

CreateLoginProfile

Service: AWS-iam

Description

Creates a password for the specified IAM user, enabling console sign-in for that user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`security_result.action`	eq	`ALLOW`	3 rules	chronicle
`EventType`	eq	`CreateLoginProfile`	2 rules	elastic
`Provider_Name`	eq	`iam.amazonaws.com`	2 rules	elastic
`aws::eventName`	eq	`CreateLoginProfile`	2 rules	sigma, splunk
`aws::eventSource`	eq	`iam.amazonaws.com`	2 rules	panther, sigma, splunk
`target.application`	eq	`iam.amazonaws.com`	2 rules	chronicle
`SubjectUserName`	regex_match	`\/i-.*$`	1 rule	chronicle
`aws::userIdentity.type`	eq	`Root`	1 rule	elastic, panther, sigma
`principal.resource.type`	eq	`AssumedRole`	1 rule	chronicle
`userAgent`	contains	`s3 browser`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

AWS IAM S3Browser LoginProfile Creation source high: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.↳ also matches GetLoginProfile
IAM Login Profile Created source medium: Establishes persistence by creating a Login Profile on an existing IAM user. This allows an attacker to access an IAM user intended to be used programmatically through the AWS console usual login process. This can also be detected with UpdateLoginProfile events. If an account is meant to be used only programmatically, it should not have a login profile.

Elastic #

AWS IAM Login Profile Added for Root source high: Identifies creation of a console login profile for the AWS account root user. While CreateLoginProfile normally applies to IAM users, when performed from a temporary root session (e.g., via AssumeRoot) and the userName parameter is omitted, the profile is created for the root principal (self-assigned). Adversaries with temporary root access may add or reset the root login profile to establish persistent console access even if original access keys are rotated or disabled. Correlate with recent AssumeRoot/STS activity and validate intent with the account owner.
AWS IAM Login Profile Added to User source low: Identifies when an AWS IAM login profile is added to a user. Adversaries may add a login profile to an IAM user who typically does not have one and is used only for programmatic access. This can be used to maintain access to the account even if the original access key is rotated or disabled. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.

YARA-L #

AWS IAM Activity By S3 Browser Utility source: Detect AWS IAM activities associated with the S3 Browser utility.↳ also matches CreateAccessKey, CreateUser, PutUserPolicy
AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateGroup, CreateRole, CreateUser, UpdateLoginProfile
AWS Privilege Escalation Using IAM Login Profile source: Detect when a user creates or updates a login profile for another user and escalates privileges using this new user from the same IP.↳ also matches UpdateLoginProfile

CreateOpenIDConnectProvider

Service: AWS-iam

Description

Creates an IAM entity that describes an identity provider (IdP) supporting OpenID Connect (OIDC), enabling federated identity for AWS.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM OIDC Provider Created by Rare User source medium: Detects when an uncommon user or role creates an OpenID Connect (OIDC) Identity Provider in AWS IAM. OIDC providers enable web identity federation, allowing users authenticated by external identity providers (such as Google, GitHub, or custom OIDC-compliant providers) to assume IAM roles and access AWS resources. Adversaries who have gained administrative access may create rogue OIDC providers to establish persistent, federated access that survives credential rotation. This technique allows attackers to assume roles using tokens from an IdP they control. While OIDC provider creation is benign in some environments, it should still be validated against authorized infrastructure changes.

CreatePolicyVersion

Service: AWS-iam

Description

Creates a new version of a managed IAM policy, allowing the policy document to be updated while retaining prior versions.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::errorCode`	eq	`success`	1 rule	splunk

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM Customer Managed Policy Version Created or Default Version Set source medium: Identifies successful IAM API calls that create a new customer managed policy version or set the default version for an existing customer managed policy. Attackers with iam:CreatePolicyVersion or iam:SetDefaultPolicyVersion on a privileged policy can introduce a permissive policy document and activate it, escalating effective permissions without attaching a new policy. These APIs are high impact when the target policy is attached to powerful roles or users.↳ also matches SetDefaultPolicyVersion

Splunk #

AWS Create Policy Version to allow all resources source: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that…

CreateRole

Service: AWS-iam

Description

Creates a new IAM role with a specified trust policy, defining which principals can assume the role.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`AddRoleToInstanceProfile`	2 rules	elastic
`EventType`	in	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AttachUserPolicy`	2 rules	elastic
`EventType`	in	`CreateAccessKey`	2 rules	elastic
`EventType`	in	`CreateInstanceProfile`	2 rules	elastic
`EventType`	in	`CreateRole`	2 rules	elastic
`EventType`	in	`CreateUser`	2 rules	elastic
`EventType`	in	`PutRolePolicy`	2 rules	elastic
`EventType`	in	`PutUserPolicy`	2 rules	elastic
`SubjectUserName`	regex_match	`\/i-.*$`	1 rule	chronicle
`principal.resource.type`	eq	`AssumedRole`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

Elastic #

AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AddRoleToInstanceProfile, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateUser, PutRolePolicy, PutUserPolicy
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateUser, PutRolePolicy, PutUserPolicy

YARA-L #

AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateGroup, CreateLoginProfile, CreateUser, UpdateLoginProfile

CreateSAMLProvider

Service: AWS-iam

Description

Creates an IAM resource that describes an identity provider supporting SAML 2.0, enabling federated users to sign in to AWS.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM SAML Provider Created source medium: Detects the creation of a new SAML Identity Provider (IdP) in AWS IAM. SAML providers enable federated authentication between AWS and external identity providers, allowing users to access AWS resources using credentials from the external IdP. Adversaries who have gained administrative access may create rogue SAML providers to establish persistent, federated access to AWS accounts that survives credential rotation. This technique allows attackers to assume roles and access resources by forging SAML assertions from an IdP they control. Creating a SAML provider is a rare administrative action that should be closely monitored and validated against authorized infrastructure changes.

YARA-L #

AWS SAML Identity Provider Changes source: Detects create, update or delete events of a SAML provider in AWS.↳ also matches DeleteSAMLProvider

CreateUser

Service: AWS-iam

Description

Creates a new IAM user in the AWS account with a specified user name.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`iam.amazonaws.com`	3 rules	elastic
`aws::eventName`	eq	`CreateUser`	3 rules	panther, sigma
`aws::eventSource`	eq	`iam.amazonaws.com`	3 rules	panther, sigma, splunk
`event.outcome`	eq	`success`	3 rules	elastic
`EventType`	in	`AddRoleToInstanceProfile`	2 rules	elastic
`EventType`	in	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AttachUserPolicy`	2 rules	elastic
`EventType`	in	`CreateAccessKey`	2 rules	elastic
`EventType`	in	`CreateInstanceProfile`	2 rules	elastic
`EventType`	in	`CreateRole`	2 rules	elastic
`EventType`	in	`CreateUser`	2 rules	elastic
`EventType`	in	`PutRolePolicy`	2 rules	elastic
`EventType`	in	`PutUserPolicy`	2 rules	elastic
`aws::userIdentity.type`	eq	`AssumedRole`	2 rules	elastic, kusto, panther, sigma
`target.application`	eq	`iam.amazonaws.com`	2 rules	chronicle

Detection Rules #

View all rules referencing this event →

Sigma #

IAM User Creation Attempt source medium: Detects a failed attempt to create an IAM user (AccessDenied). Even though the attempt failed, it indicates the attacker has valid credentials and is attempting persistence via IAM user creation.
IAM User Created source high: Detects when an IAM user creates a new IAM user via CreateUser. This is a common persistence technique where an attacker with compromised credentials creates a backdoor IAM user for continued access even after the originally compromised credentials are rotated.
AWS IAM S3Browser User or AccessKey Creation source high: Detects S3 Browser utility creating IAM User or AccessKey.↳ also matches CreateAccessKey

Elastic #

AWS IAM Create User via Assumed Role on EC2 Instance source medium: Detects the creation of an AWS Identity and Access Management (IAM) user initiated by an assumed role on an EC2 instance. Assumed roles allow users or services to temporarily adopt different AWS permissions, but the creation of IAM users through these roles, particularly from within EC2 instances, may indicate a compromised instance. Adversaries might exploit such permissions to establish persistence by creating new IAM users under unauthorized conditions.
AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AddRoleToInstanceProfile, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, PutRolePolicy, PutUserPolicy
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, PutRolePolicy, PutUserPolicy

YARA-L #

AWS IAM Activity By S3 Browser Utility source: Detect AWS IAM activities associated with the S3 Browser utility.↳ also matches CreateAccessKey, CreateLoginProfile, PutUserPolicy
AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateGroup, CreateLoginProfile, CreateRole, UpdateLoginProfile

DeactivateMFADevice

Service: AWS-iam

Description

Deactivates an MFA device previously associated with an IAM user, removing the MFA requirement for that user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM Deactivation of MFA Device source medium: Detects the deactivation of a Multi-Factor Authentication (MFA) device in AWS Identity and Access Management (IAM). MFA provides critical protection against unauthorized access by requiring a second factor for authentication. Adversaries or compromised administrators may deactivate MFA devices to weaken account protections, disable strong authentication, or prepare for privilege escalation or persistence. This rule monitors successful DeactivateMFADevice API calls, which represent the point at which MFA protection is actually removed.

YARA-L #

AWS MultiFactor Authentication Disabled source: Detects attempts to disable multi-factor authentication for an AWS IAM user.↳ also matches DeleteVirtualMFADevice

DeleteGroup

Service: AWS-iam

Description

Deletes an IAM group, which must not have any users or attached policies before deletion.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`DeleteGroup`	2 rules	splunk
`userAgent`	ne	`*.amazonaws.com`	2 rules	splunk
`aws::errorCode`	eq	`success`	1 rule	splunk
`aws::errorCode`	in	`AccessDenied`	1 rule	elastic, splunk

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM Group Deletion source low: Detects when an IAM group is deleted using the DeleteGroup API call. Deletion of an IAM group may represent a malicious attempt to remove audit trails, disrupt operations, or hide adversary activity (for example after using the group briefly for privileged access). This can be an indicator of impact or cleanup in an attack lifecycle.

Splunk #

AWS IAM Failure Group Deletion source: The following analytic identifies failed attempts to delete AWS IAM groups. It leverages AWS CloudTrail logs to detect events where the DeleteGroup action fails due to errors like NoSuchEntityException, DeleteConflictException, or…
AWS IAM Successful Group Deletion source: The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect DeleteGroup events with a success status. This activity is significant as it could indicate potential changes in…

DeleteSAMLProvider

Service: AWS-iam

Description

Deletes a SAML provider resource object in IAM, removing the federated identity configuration.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`status`	eq	`success`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

AWS SAML Provider Deletion Activity source medium: Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

YARA-L #

AWS SAML Identity Provider Changes source: Detects create, update or delete events of a SAML provider in AWS.↳ also matches CreateSAMLProvider

DescribeOrganization

Service: AWS-iam

Description

Returns information about the AWS organization that the current account belongs to, including its master account and feature set.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeOrgnanizationalUnit

Service: AWS-iam

Description

Returns details about an organizational unit (OU) in AWS Organizations, including its ID, ARN, and name.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DescribeResourcePolicy

Service: AWS-iam

Description

Returns the resource-based policy attached to the specified AWS Organizations resource.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

GetAccountSummary

Service: AWS-iam

Description

Retrieves a summary of IAM entity usage and quotas for the current AWS account.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

GetLoginProfile

Service: AWS-iam

Description

Retrieves the console login profile (password metadata) for the specified IAM user, excluding the password itself.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`CreateLoginProfile`	1 rule	sigma, splunk
`userAgent`	contains	`s3 browser`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

AWS IAM S3Browser LoginProfile Creation source high: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.↳ also matches CreateLoginProfile

ListAccessKeys

Service: AWS-iam

Description

Returns metadata about the access keys associated with a specified IAM user, including key IDs, status, and creation dates.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`GetCallerIdentity`	1 rule	kusto, panther, sigma
`aws::eventName`	eq	`GetSessionToken`	1 rule	panther, sigma
`aws::eventName`	eq	`ListBuckets`	1 rule	sigma
`aws::eventName`	eq	`ListRoles`	1 rule	sigma
`aws::eventName`	eq	`ListUsers`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

ListAccountAliases

Service: AWS-iam

Description

Lists the alias associated with the current AWS account, if any.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListAccounts

Service: AWS-iam

Description

Lists all AWS accounts in the organization, returning each account's ID, name, email, and status.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListAccountsForParent

Service: AWS-iam

Description

Lists the child accounts directly under the specified parent root or organizational unit in AWS Organizations.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListAWSServiceAccessForOrganization

Service: AWS-iam

Description

Lists the AWS services for which service-level trusted access is currently enabled in AWS Organizations.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListDelegatedAdministrators

Service: AWS-iam

Description

Lists the AWS accounts designated as delegated administrators for the specified service principal in AWS Organizations.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListDelegatedServicesForAccount

Service: AWS-iam

Description

Lists the services for which the specified account is a delegated administrator in AWS Organizations.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListGroups

Service: AWS-iam

Description

Returns a paginated list of IAM groups in the current AWS account.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`GetCallerIdentity`	1 rule	kusto, panther, sigma
`aws::eventName`	eq	`GetSessionToken`	1 rule	panther, sigma
`aws::eventName`	eq	`ListBuckets`	1 rule	sigma
`aws::eventName`	eq	`ListRoles`	1 rule	sigma
`aws::eventName`	eq	`ListUsers`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

ListMFADevices

Service: AWS-iam

Description

Returns a list of MFA devices associated with an IAM user, or all virtual MFA devices in the account when no user is specified.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListOrganizationalUnitsForParent

Service: AWS-iam

Description

Lists the organizational units (OUs) that are directly under the specified parent root or OU in AWS Organizations.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListPolicies

Service: AWS-iam

Description

Lists IAM policies, with filters available to scope results to AWS-managed, customer-managed, or locally attached policies.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListRoles

Service: AWS-iam

Description

Returns a paginated list of IAM roles in the current AWS account, optionally filtered by path prefix.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`ListRoles`	2 rules	sigma
`aws::eventName`	eq	`GetCallerIdentity`	1 rule	kusto, panther, sigma
`aws::eventName`	eq	`GetSessionToken`	1 rule	panther, sigma
`aws::eventName`	eq	`ListBuckets`	1 rule	sigma
`aws::eventName`	eq	`ListUsers`	1 rule	sigma
`aws::eventSource`	eq	`iam.amazonaws.com`	2 rules	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Role Enumeration source low: An attacker may have enumerated roles (groups of permissions(policies)) with aws iam list-roles.
Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

ListRoots

Service: AWS-iam

Description

Lists the roots in the current AWS organization, returning the root ID, ARN, name, and policy types enabled for that root.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

ListUsers

Service: AWS-iam

Description

Returns a paginated list of IAM users in the current AWS account, optionally filtered by path prefix.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`ListUsers`	2 rules	sigma
`aws::eventName`	eq	`GetCallerIdentity`	1 rule	kusto, panther, sigma
`aws::eventName`	eq	`GetSessionToken`	1 rule	panther, sigma
`aws::eventName`	eq	`ListBuckets`	1 rule	sigma
`aws::eventName`	eq	`ListRoles`	1 rule	sigma
`aws::eventSource`	eq	`iam.amazonaws.com`	2 rules	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

User Enumeration source low: An attacker may have enumerated users with aws iam list-users.
Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

PutRolePolicy

Service: AWS-iam

Description

Creates or updates an inline policy document embedded directly in the specified IAM role.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`AddRoleToInstanceProfile`	2 rules	elastic
`EventType`	in	`AttachRolePolicy`	2 rules	elastic
`EventType`	in	`AttachUserPolicy`	2 rules	elastic
`EventType`	in	`CreateAccessKey`	2 rules	elastic
`EventType`	in	`CreateInstanceProfile`	2 rules	elastic
`EventType`	in	`CreateRole`	2 rules	elastic
`EventType`	in	`CreateUser`	2 rules	elastic
`EventType`	in	`PutRolePolicy`	2 rules	elastic
`EventType`	in	`PutUserPolicy`	2 rules	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AddRoleToInstanceProfile, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutUserPolicy
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutUserPolicy

PutUserPolicy

Service: AWS-iam

Description

Creates or updates an inline policy document embedded directly in the specified IAM user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`PutUserPolicy`	1 rule	panther, sigma
`target.application`	eq	`iam.amazonaws.com`	1 rule	chronicle
`userAgent`	contains	`s3 browser`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

AWS IAM S3Browser Templated S3 Bucket Policy Creation source high: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".

Elastic #

AWS Sensitive IAM Operations Performed via CloudShell source medium: Identifies sensitive AWS IAM operations performed via AWS CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. While convenient for administrators, CloudShell access from compromised console sessions can enable attackers to perform privileged operations without installing tools or using programmatic credentials. This rule detects high-risk actions such as creating IAM users, access keys, roles, or attaching policies when initiated from CloudShell, which may indicate post-compromise credential harvesting or privilege escalation activity.↳ also matches AddRoleToInstanceProfile, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy
AWS IAM Sensitive Operations via Lambda Execution Role source high: Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.↳ also matches AddRoleToInstanceProfile, AddUserToGroup, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateInstanceProfile, CreateRole, CreateUser, PutRolePolicy

YARA-L #

AWS IAM Activity By S3 Browser Utility source: Detect AWS IAM activities associated with the S3 Browser utility.↳ also matches CreateAccessKey, CreateLoginProfile, CreateUser

SetDefaultPolicyVersion

Service: AWS-iam

Description

Sets the specified version of a managed IAM policy as the default active version for the policy.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`SetDefaultPolicyVersion`	1 rule	kusto, splunk

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM Customer Managed Policy Version Created or Default Version Set source medium: Identifies successful IAM API calls that create a new customer managed policy version or set the default version for an existing customer managed policy. Attackers with iam:CreatePolicyVersion or iam:SetDefaultPolicyVersion on a privileged policy can introduce a permissive policy document and activate it, escalating effective permissions without attaching a new policy. These APIs are high impact when the target policy is attached to powerful roles or users.↳ also matches CreatePolicyVersion

Splunk #

AWS SetDefaultPolicyVersion source: The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the SetDefaultPolicyVersion event from the IAM service. This activity is significant because attackers may…

UpdateAssumeRolePolicy

Service: AWS-iam

Description

Updates the trust policy (assume-role policy document) for an IAM role, changing which principals are permitted to assume it.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`UpdateAssumeRolePolicy`	2 rules	elastic
`Provider_Name`	eq	`iam.amazonaws.com`	2 rules	elastic
`aws::errorCode`	eq	`MalformedPolicyDocumentException`	1 rule	elastic, splunk
`event.outcome`	eq	`failure`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM Principal Enumeration via UpdateAssumeRolePolicy source medium: Detects repeated failed attempts to update an IAM role’s trust policy in an AWS account, consistent with role and user enumeration techniques. In this technique, an attacker who controls credentials in the current account repeatedly calls UpdateAssumeRolePolicy on a single role, cycling through guessed cross-account role or user ARNs as the principal. When those principals are invalid, IAM returns MalformedPolicyDocumentException, producing a burst of failed UpdateAssumeRolePolicy events. This rule alerts on that brute-force pattern originating from this account, which may indicate that the account is being used as attack infrastructure or that offensive tooling (such as Pacu) is running here. Note: this rule does not detect other accounts enumerating roles, because those API calls are logged in the caller’s account, not the target account.
AWS IAM Assume Role Policy Update source low: Identifies AWS CloudTrail events where an IAM role's trust policy has been updated by an IAM user or Assumed Role identity. The trust policy is a JSON document that defines which principals are allowed to assume the role. An attacker may attempt to modify this policy to gain the privileges of the role. This is a New Terms rule, which means it will only trigger once for each unique combination of the "cloud.account.id", "user.name" and "entity.target.id" fields, that have not been seen making this API request.

UpdateLoginProfile

Service: AWS-iam

Description

Changes the password of the console login profile for the specified IAM user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`UpdateLoginProfile`	1 rule	panther, sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

AWS User Login Profile Was Modified source high: Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.

YARA-L #

AWS IAM Activity From EC2 Instance source: Detect AWS IAM activities made by AWS EC2 instances to retain access or escalate privileges.↳ also matches AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy, CreateAccessKey, CreateGroup, CreateLoginProfile, CreateRole, CreateUser
AWS Privilege Escalation Using IAM Login Profile source: Detect when a user creates or updates a login profile for another user and escalates privileges using this new user from the same IP.↳ also matches CreateLoginProfile

UpdateSAMLProvider

Service: AWS-iam

Description

Updates the metadata document for an existing SAML provider in IAM.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM SAML Provider Updated source medium: Detects when an AWS IAM SAML provider is updated, which manages federated authentication between AWS and external identity providers (IdPs). Adversaries with administrative access may modify a SAML provider’s metadata or certificate to redirect authentication flows, enable unauthorized federation, or escalate privileges through identity trust manipulation. Because SAML providers underpin single sign-on (SSO) access for users and applications, unauthorized modifications may allow persistent or covert access even after credentials are revoked. Monitoring "UpdateSAMLProvider" API activity is critical to detect potential compromise of federated trust relationships.

CreateVirtualMFADevice

Service: AWS-iam

Description

Creates a new virtual MFA device and returns the QR code seed for enrollment.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::userIdentity.accessKeyId`	starts_with	`ASIA`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM Virtual MFA Device Registration Attempt with Session Token source medium: Detects attempts to create or enable a Virtual MFA device (CreateVirtualMFADevice, EnableMFADevice) using temporary AWS credentials (access keys beginning with ASIA). Session credentials are short-lived and tied to existing authenticated sessions, so using them to register or enable MFA devices is unusual. Adversaries who compromise temporary credentials may abuse this behavior to establish persistence by attaching new MFA devices to maintain access to high-privilege accounts despite key rotation or password resets.↳ also matches EnableMFADevice

YARA-L #

AWS New MFA Method Registered For User source: Detects the registration of a new Multi Factor authentication method for an AWS user.↳ also matches EnableMFADevice

DeleteAccountPasswordPolicy

Service: AWS-iam

Description

Deletes the password policy for the AWS account, reverting to default password requirements.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

YARA-L #

AWS Password Policy Change source: Detects when an existing password policy is updated or deleted in an AWS account.↳ also matches UpdateAccountPasswordPolicy

DeleteLoginProfile

Service: AWS-iam

Description

Deletes the password-based login profile for an IAM user, preventing console sign-in.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

IAM Login Profile Deleted source low: Detects when an IAM login profile is deleted, which may indicate an attacker removing access to a compromised account or an administrator performing account cleanup.

DeleteVirtualMFADevice

Service: AWS-iam

Description

Deletes a virtual MFA device, permanently removing it from the account.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

YARA-L #

AWS MultiFactor Authentication Disabled source: Detects attempts to disable multi-factor authentication for an AWS IAM user.↳ also matches DeactivateMFADevice

EnableMFADevice

Service: AWS-iam

Description

Associates and activates a virtual or hardware MFA device for an IAM user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::userIdentity.accessKeyId`	starts_with	`ASIA`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS IAM Virtual MFA Device Registration Attempt with Session Token source medium: Detects attempts to create or enable a Virtual MFA device (CreateVirtualMFADevice, EnableMFADevice) using temporary AWS credentials (access keys beginning with ASIA). Session credentials are short-lived and tied to existing authenticated sessions, so using them to register or enable MFA devices is unusual. Adversaries who compromise temporary credentials may abuse this behavior to establish persistence by attaching new MFA devices to maintain access to high-privilege accounts despite key rotation or password resets.↳ also matches CreateVirtualMFADevice

YARA-L #

AWS New MFA Method Registered For User source: Detects the registration of a new Multi Factor authentication method for an AWS user.↳ also matches CreateVirtualMFADevice

GetAccountAuthorizationDetails

Service: AWS-iam

Description

Retrieves information about all IAM users, groups, roles, and policies in the account, including their relationships.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`GetCallerIdentity`	1 rule	kusto, panther, sigma
`aws::eventName`	eq	`GetSessionToken`	1 rule	panther, sigma
`aws::eventName`	eq	`ListBuckets`	1 rule	sigma
`aws::eventName`	eq	`ListRoles`	1 rule	sigma
`aws::eventName`	eq	`ListUsers`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

GetCredentialReport

Service: AWS-iam

Description

Retrieves the credential report for the account, listing all IAM users and the status of their credentials.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`GetCallerIdentity`	1 rule	kusto, panther, sigma
`aws::eventName`	eq	`GetSessionToken`	1 rule	panther, sigma
`aws::eventName`	eq	`ListBuckets`	1 rule	sigma
`aws::eventName`	eq	`ListRoles`	1 rule	sigma
`aws::eventName`	eq	`ListUsers`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

GetPolicy

Service: AWS-iam

Description

Retrieves metadata about a managed IAM policy, including its ARN, default version, and attachment count.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`GetCallerIdentity`	1 rule	kusto, panther, sigma
`aws::eventName`	eq	`GetSessionToken`	1 rule	panther, sigma
`aws::eventName`	eq	`ListBuckets`	1 rule	sigma
`aws::eventName`	eq	`ListRoles`	1 rule	sigma
`aws::eventName`	eq	`ListUsers`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

GetPolicyVersion

Service: AWS-iam

Description

Retrieves the policy document for a specific version of a managed IAM policy.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`aws::eventName`	eq	`ListRoles`	1 rule	sigma
`aws::eventName`	eq	`ListUsers`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

GetRole

Service: AWS-iam

Description

Retrieves metadata about an IAM role, including its trust policy and attached managed policies.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

GetRolePolicy

Service: AWS-iam

Description

Retrieves the inline policy document embedded in an IAM role.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

GetUser

Service: AWS-iam

Description

Retrieves metadata about an IAM user, including path, user ID, ARN, and creation date.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

GetUserPolicy

Service: AWS-iam

Description

Retrieves the inline policy document embedded in an IAM user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, ListAttachedRolePolicies, ListAttachedUserPolicies, ListUserPolicies

ListAttachedRolePolicies

Service: AWS-iam

Description

Lists all managed policies attached to a specified IAM role.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedUserPolicies, ListUserPolicies

ListAttachedUserPolicies

Service: AWS-iam

Description

Lists all managed policies attached to a specified IAM user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListUserPolicies

ListUserPolicies

Service: AWS-iam

Description

Lists the names of inline policies embedded in a specified IAM user.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

Sigma #

Many Recon Events source high: Detects multiple reconnaissance events, which may indicate an attacker attempting to gather information about the target environment. For each user ARN, it will look for three or more different reconnaissance events within a one minute timespan. If you are getting too many false positives, you can lower the timespan or increase the number of events required to trigger an alert.↳ also matches ListAccessKeys, ListGroups, ListRoles, ListUsers, GetAccountAuthorizationDetails, GetCredentialReport, GetPolicy, GetPolicyVersion, GetRole, GetRolePolicy, GetUser, GetUserPolicy, ListAttachedRolePolicies, ListAttachedUserPolicies

UpdateAccountPasswordPolicy

Service: AWS-iam

Description

Updates the password policy for the AWS account, setting requirements such as minimum length, complexity, and expiration.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Detection Rules #

View all rules referencing this event →

YARA-L #

AWS Password Policy Change source: Detects when an existing password policy is updated or deleted in an AWS account.↳ also matches DeleteAccountPasswordPolicy

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)