AWS IAM Sensitive Operations via Lambda Execution Role

Status: production
Severity: high
Time window: 6m
Author: Elastic
Source: github.com/elastic/detection-rules

Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or preparing EC2 instance profiles for lateral movement.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1078.004` Valid Accounts: Cloud Accounts, `T1098` Account Manipulation, `T1136.003` Create Account: Cloud Account
Privilege Escalation	`T1078.004` Valid Accounts: Cloud Accounts, `T1098` Account Manipulation

Event coverage

Provider	Event
AWS-iam	AddRoleToInstanceProfile
AWS-iam	AddUserToGroup
AWS-iam	AttachGroupPolicy
AWS-iam	AttachRolePolicy
AWS-iam	AttachUserPolicy
AWS-iam	CreateAccessKey
AWS-iam	CreateInstanceProfile
AWS-iam	CreateRole
AWS-iam	CreateUser
AWS-iam	PutRolePolicy
AWS-iam	PutUserPolicy

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

AWS Compromised IAM Key Quarantine (Panther)
AWS IAM AdministratorAccess Policy Attached to Group (Elastic)
AWS IAM AdministratorAccess Policy Attached to Role (Elastic)
AWS IAM AdministratorAccess Policy Attached to User (Elastic)
AWS IAM Backdoor Users Keys (Sigma)
AWS IAM Create User via Assumed Role on EC2 Instance (Elastic)
AWS IAM Customer-Managed Policy Attached to Role by Rare User (Elastic)
AWS IAM S3Browser Templated S3 Bucket Policy Creation (Sigma)

Rule body elastic

[metadata]
creation_date = "2026/04/04"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/04"

[rule]
author = ["Elastic"]
description = """
Detects successful IAM API calls that create or empower IAM users and roles, attach or embed policies, or wire roles to
instance profiles when the caller is an assumed role session associated with AWS Lambda. Serverless execution roles are
often over-permissioned; an adversary who can run or compromise function code can abuse these APIs for privilege
escalation and persistence—for example creating users or roles, issuing keys, attaching managed or inline policies, or
preparing EC2 instance profiles for lateral movement.
"""
false_positives = [
    """
    Some organizations intentionally use Lambda functions to provision IAM principals, bootstrap accounts, or run
    identity automation (including roles and instance profiles). Confirm the function name in `user_identity.arn`,
    deployment pipelines, and change records. Exclude known automation roles or specific
    `session_context.session_issuer.arn` values after validation.
    """,
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
interval = "5m"
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM Sensitive Operations via Lambda Execution Role"
note = """## Triage and analysis

### Investigating AWS IAM Sensitive Operations via Lambda Execution Role

Lambda functions run under an **execution role**. When that role calls sensitive IAM control-plane APIs—user and group
changes (`CreateUser`, `AddUserToGroup`, …), user or role policies (`AttachUserPolicy`, `PutUserPolicy`,
`AttachRolePolicy`, `PutRolePolicy`), role and instance-profile wiring (`CreateRole`, `CreateInstanceProfile`,
`AddRoleToInstanceProfile`), or `CreateAccessKey`—CloudTrail typically records `user_identity.type` as `AssumedRole` and
may set `user_identity.invoked_by` to `lambda.amazonaws.com`. The session issuer ARN often references the Lambda service
or the execution role.

#### Possible investigation steps

- Parse `aws.cloudtrail.user_identity.arn` for the assumed-role session (function name or request id) and map it to the
  Lambda function and deployment path in the same account.
- Review `aws.cloudtrail.request_parameters` for targets such as `userName`, `groupName`, `roleName`, `policyArn`,
  `instanceProfileName`, or access key subject.
- Compare `user_agent.original` and `source.ip` to expected Lambda service patterns; correlate with CloudWatch Logs for
  the function around `@timestamp`.
- Hunt ±30 minutes for follow-on IAM, `sts:AssumeRole`, or data-plane access using any new credentials.

### False positive analysis

- Approved infrastructure-as-code or onboarding Lambdas may perform these calls. Tune on execution role ARN or tags.

### Response and remediation

- If unauthorized: disable the function, revoke or rotate the execution role credentials, remove rogue IAM users, roles,
  instance profiles, or keys, detach or delete unintended policies, and review permission boundaries on the role.

### Additional information

- [IAM API reference](https://docs.aws.amazon.com/IAM/latest/APIReference/)
- [Lambda execution role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html)
"""
references = [
    "https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html",
    "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/",
    "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html",
]
risk_score = 73
rule_id = "a8f3c2e1-4d5b-4e6f-8a9b-0c1d2e3f4a5b"
severity = "high"
tags = [
    "Domain: Cloud",
    "Domain: Identity",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS IAM",
    "Data Source: AWS Lambda",
    "Use Case: Threat Detection",
    "Tactic: Privilege Escalation",
    "Tactic: Persistence",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "AssumedRole"
    and (
        aws.cloudtrail.user_identity.invoked_by: "lambda.amazonaws.com"
        or user_agent.original : *AWS_Lambda*
    )
    and event.action: (
        "AddRoleToInstanceProfile" or
        "AddUserToGroup" or 
        "AttachGroupPolicy" or 
        "AttachRolePolicy" or
        "AttachUserPolicy" or
        "CreateAccessKey" or
        "CreateInstanceProfile" or
        "CreateRole" or
        "CreateUser" or
        "PutRolePolicy" or
        "PutUserPolicy"
    )
'''

[rule.investigation_fields]
field_names = [
    "@timestamp",
    "user.name",
    "user_agent.original",
    "source.ip",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.invoked_by",
    "aws.cloudtrail.user_identity.access_key_id",
    "aws.cloudtrail.request_parameters",
    "aws.cloudtrail.response_elements",
    "event.action",
    "event.outcome",
    "cloud.account.id",
    "cloud.region",
]

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"



[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"
[[rule.threat.technique.subtechnique]]
id = "T1136.003"
name = "Cloud Account"
reference = "https://attack.mitre.org/techniques/T1136/003/"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

Stages and Predicates

Stage 1: `query`

event.dataset: "aws.cloudtrail"
    and event.provider: "iam.amazonaws.com"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "AssumedRole"
    and (
        aws.cloudtrail.user_identity.invoked_by: "lambda.amazonaws.com"
        or user_agent.original : *AWS_Lambda*
    )
    and event.action: (
        "AddRoleToInstanceProfile" or
        "AddUserToGroup" or 
        "AttachGroupPolicy" or 
        "AttachRolePolicy" or
        "AttachUserPolicy" or
        "CreateAccessKey" or
        "CreateInstanceProfile" or
        "CreateRole" or
        "CreateUser" or
        "PutRolePolicy" or
        "PutUserPolicy"
    )

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`aws.cloudtrail.user_identity.invoked_by`	eq	`lambda.amazonaws.com`
`aws.cloudtrail.user_identity.type`	eq	`AssumedRole`
`event.action`	in	`AddRoleToInstanceProfile` `AddUserToGroup` `AttachGroupPolicy` `AttachRolePolicy` `AttachUserPolicy` `CreateAccessKey` `CreateInstanceProfile` `CreateRole` `CreateUser` `PutRolePolicy` `PutUserPolicy`
`event.dataset`	eq	`aws.cloudtrail`
`event.outcome`	eq	`success`
`event.provider`	eq	`iam.amazonaws.com`
`user_agent.original`	wildcard	`AWS_Lambda`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

AWS IAM Sensitive Operations via Lambda Execution Role

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `query`

Indicators

Keyboard shortcuts

Search operators

AWS IAM Sensitive Operations via Lambda Execution Role

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: query

Indicators

Stage 1: `query`