Detection rules › Panther
IAM Entity Created Without CloudFormation
An IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1136 Create Account |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- ASL AWS Create Policy Version to allow all resources (Splunk)
- AWS Lateral Movement from Kubernetes SA via AssumeRoleWithWebIdentity (Elastic)
- AWSCloudTrail - CloudFormation policy created then used for privilege escalation (Kusto)
- AWSCloudTrail - Created CRUD S3 policy and then privilege escalation (Kusto)
- AWSCloudTrail - Creation of CRUD DynamoDB policy and then privilege escalation (Kusto)
- AWSCloudTrail - Creation of CRUD KMS policy and then privilege escalation (Kusto)
- AWSCloudTrail - Creation of CRUD Lambda policy and then privilege escalation (Kusto)
- AWSCloudTrail - Creation of DataPipeline policy and then privilege escalation (Kusto)
Rule body yaml
AnalysisType: rule
Filename: aws_iam_entity_created_without_cloudformation.py
RuleID: "AWS.CloudTrail.IAMEntityCreatedWithoutCloudFormation"
DisplayName: "IAM Entity Created Without CloudFormation"
Enabled: false
LogTypes:
- AWS.CloudTrail
Reports:
MITRE ATT&CK:
- TA0003:T1136
Tags:
- AWS
- Configuration Required
- Identity and Access Management
- Persistence:Create Account
Severity: Medium
Description: >
An IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly.
Runbook: >
Verify whether IAM entity needs to exist. If so, re-create it in an appropriate CloudFormation, Terraform, or other template. Delete the original manually created entity.
Reference: https://blog.awsfundamentals.com/aws-iam-roles-with-aws-cloudformation
SummaryAttributes:
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: IAM Entity Created Automatically
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"invokedBy": "cloudformation.amazonaws.com",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/IdentityCFNServiceRole",
"accountId": "123456789012",
"userName": "tester",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "userName": "user", "path": "/" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: IAM Entity Created Manually With Approved Role
ExpectedResult: true
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/IdentityCFNServiceRole",
"accountId": "123456789012",
"userName": "tester",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "userName": "user", "path": "/" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: IAM Entity Created Manually With Approved Role Pattern
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"invokedBy": "cloudformation.amazonaws.com",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::210987654321:role/IdentityCFNServiceRole",
"accountId": "123456789012",
"userName": "tester",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "userName": "user", "path": "/" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: IAM Entity Created Manually
ExpectedResult: true
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/OtherRole",
"accountId": "123456789012",
"userName": "tester",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "userName": "user", "path": "/" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: Non IAM Entity Creation Event
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/OtherRole",
"accountId": "123456789012",
"userName": "tester",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "iam.amazonaws.com",
"eventName": "NotCreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "userName": "user", "path": "/" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
- Name: Error Manually Creating IAM Entity
ExpectedResult: false
Log:
{
"eventVersion": "1.05",
"errorCode": "EntityAlreadyExists",
"userIdentity":
{
"type": "AssumedRole",
"principalId": "1111:tester",
"arn": "arn:aws:sts::123456789012:assumed-role/tester",
"accountId": "123456789012",
"accessKeyId": "1",
"sessionContext":
{
"attributes":
{
"mfaAuthenticated": "true",
"creationDate": "2019-01-01T00:00:00Z",
},
"sessionIssuer":
{
"type": "Role",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:role/OtherRole",
"accountId": "123456789012",
"userName": "tester",
},
},
},
"eventTime": "2019-01-01T00:00:00Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"userAgent": "console.amazonaws.com",
"requestParameters": { "userName": "user", "path": "/" },
"responseElements": null,
"requestID": "1",
"eventID": "1",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012",
}
Detection logic
Condition
not (errorCode is_not_null or errorMessage is_not_null or eventName not in ["BatchCreateUser", "CreateGroup", "CreateInstanceProfile", "CreatePolicy", "CreatePolicyVersion", "CreateRole", "CreateServiceLinkedRole", "CreateUser"])
userIdentity.invokedBy ne "cloudformation.amazonaws.com" or userIdentity.sessionContext.sessionIssuer.arn not in "arn:aws:iam::123456789012:role/IdentityCFNServiceRole"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
eventName | in | BatchCreateUser, CreateGroup, CreateInstanceProfile, CreatePolicy, CreatePolicyVersion, CreateRole, CreateServiceLinkedRole, CreateUser |
errorCode | is_not_null | |
errorMessage | is_not_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | in |
|
userIdentity.invokedBy | ne |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |