-
Notifications
You must be signed in to change notification settings - Fork 671
[New Rule] AWS IAM Permissions Boundary Modified or Removed #6300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
c41b8c6
[New Rule] AWS IAM Permissions Boundary Modified or Removed
bryans3c 46056a3
Update privilege_escalation_iam_permissions_boundary_modified.toml
bryans3c a2ad295
Potential fix for pull request finding
bryans3c 0467764
Update rules/integrations/aws/privilege_escalation_iam_permissions_bo…
bryans3c e7d6813
Update rules/integrations/aws/privilege_escalation_iam_permissions_bo…
bryans3c 3c1fab0
Apply suggestions from code review
bryans3c b1f0f95
Update privilege_escalation_iam_permissions_boundary_modified.toml
bryans3c c45e8c0
Merge branch 'main' into rule/aws-iam-permissions-boundary
bryans3c File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
123 changes: 123 additions & 0 deletions
123
rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,123 @@ | ||
| [metadata] | ||
| creation_date = "2026/06/18" | ||
| integration = ["aws"] | ||
| maturity = "production" | ||
| updated_date = "2026/06/18" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies the modification or removal of an IAM permissions boundary on an IAM user or role. A permissions boundary | ||
| caps the maximum permissions an identity can have, regardless of its attached identity policies. An adversary who can | ||
| delete a boundary ("DeleteUserPermissionsBoundary", "DeleteRolePermissionsBoundary") or replace it with a more | ||
| permissive one ("PutUserPermissionsBoundary", "PutRolePermissionsBoundary") can lift that cap and unlock permissions the | ||
| identity's policies already grant, enabling privilege escalation. Boundary changes are infrequent and usually performed | ||
| by a small set of administrators or infrastructure-as-code pipelines, so changes by unexpected principals warrant | ||
| review. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Permissions boundaries are managed by identity/platform teams and infrastructure-as-code pipelines as part of normal | ||
| governance. Verify the principal in `aws.cloudtrail.user_identity.arn`, the targeted user or role, and the boundary | ||
| policy against approved change records. Known administration roles and deployment automation can be excluded after | ||
| validation. | ||
| """, | ||
| ] | ||
| from = "now-6m" | ||
| index = ["logs-aws.cloudtrail-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "AWS IAM Permissions Boundary Modified or Removed" | ||
| note = """## Triage and analysis | ||
|
|
||
| ### Investigating AWS IAM Permissions Boundary Modified or Removed | ||
|
|
||
| An IAM permissions boundary is the maximum set of permissions an identity can ever have — even if its identity policies grant more, the effective permissions are the intersection of the two. Removing a boundary (`DeleteUserPermissionsBoundary` / `DeleteRolePermissionsBoundary`) or replacing it with a broader one (`PutUserPermissionsBoundary` / `PutRolePermissionsBoundary`) lifts that cap, so any permissions already present in the identity's attached policies immediately take effect. This is a recognized privilege-escalation path: an adversary who can edit a boundary can unlock latent permissions without attaching any new policy. | ||
|
|
||
| #### Possible investigation steps | ||
|
|
||
| - Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to determine how the change was made (console, CLI, SDK, automation). | ||
| - Inspect `aws.cloudtrail.request_parameters` for the targeted `userName`/`roleName` and, for `Put*` operations, the `permissionsBoundary` policy ARN that was applied. | ||
| - Determine the identity's attached identity policies to assess what permissions are now unlocked by the boundary change (the effective blast radius). | ||
| - Confirm whether the change aligns with an approved governance change, onboarding, or deployment. | ||
| - Correlate with recent activity by the same principal, such as policy attachment, access key creation, or role assumption that may indicate an escalation chain. | ||
|
|
||
| ### False positive analysis | ||
|
|
||
| - Identity/platform teams and infrastructure-as-code routinely set and update boundaries. Confirm the change is approved and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. | ||
|
|
||
| ### Response and remediation | ||
|
|
||
| - If the change is unauthorized, restore the intended permissions boundary on the affected identity and review what the identity could access while the boundary was relaxed or absent. | ||
| - Rotate or restrict credentials for the principal that made the change if compromise is suspected, and constrain `iam:PutUserPermissionsBoundary`, `iam:PutRolePermissionsBoundary`, `iam:DeleteUserPermissionsBoundary`, and `iam:DeleteRolePermissionsBoundary` to a small set of trusted administrators. | ||
|
|
||
| """ | ||
| references = [ | ||
| "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html", | ||
| "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "0f5d410c-a594-4cdb-8b48-f36a61838d67" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Domain: Identity", | ||
| "Data Source: AWS", | ||
| "Data Source: Amazon Web Services", | ||
| "Data Source: AWS IAM", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Privilege Escalation", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| data_stream.dataset: "aws.cloudtrail" | ||
| and event.provider: "iam.amazonaws.com" | ||
| and event.action: ( | ||
| "PutUserPermissionsBoundary" or | ||
| "PutRolePermissionsBoundary" or | ||
| "DeleteUserPermissionsBoundary" or | ||
| "DeleteRolePermissionsBoundary" | ||
| ) | ||
| and event.outcome: "success" | ||
| and not aws.cloudtrail.user_identity.type: "AWSService" | ||
| and not user_agent.original: (*terraform* or *pulumi* or *ansible*) | ||
| and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*) | ||
| and not source.as.organization.name: (Amazon* or AMAZON* or Google*) | ||
| and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1098" | ||
| name = "Account Manipulation" | ||
| reference = "https://attack.mitre.org/techniques/T1098/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0004" | ||
| name = "Privilege Escalation" | ||
| reference = "https://attack.mitre.org/tactics/TA0004/" | ||
|
bryans3c marked this conversation as resolved.
|
||
|
|
||
| [rule.investigation_fields] | ||
| field_names = [ | ||
| "@timestamp", | ||
| "user.name", | ||
| "user_agent.original", | ||
| "source.ip", | ||
| "aws.cloudtrail.user_identity.arn", | ||
| "aws.cloudtrail.user_identity.type", | ||
| "aws.cloudtrail.user_identity.access_key_id", | ||
| "aws.cloudtrail.user_identity.session_context.session_issuer.arn", | ||
| "aws.cloudtrail.request_parameters", | ||
| "aws.cloudtrail.response_elements", | ||
| "event.action", | ||
| "event.outcome", | ||
| "cloud.account.id", | ||
| "cloud.region", | ||
| ] | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.