-
Notifications
You must be signed in to change notification settings - Fork 671
[New Rule] AWS IAM Inline Policy Added to a Group #6301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
9bd96a2
[New Rule] AWS IAM Inline Policy Added to a Group
bryans3c 0b8be40
Update privilege_escalation_iam_inline_policy_added_to_group.toml
bryans3c 212d815
Potential fix for pull request finding
bryans3c 0881dfe
Potential fix for pull request finding
bryans3c d449827
Potential fix for pull request finding
bryans3c 1aa69a2
Potential fix for pull request finding
bryans3c 74f0a66
Apply suggestions from code review
bryans3c 46bf6fc
Refine IAM policy conditions for privilege escalation
bryans3c b2e07d5
Merge branch 'main' into rule/aws-iam-group-inline-policy
bryans3c File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
137 changes: 137 additions & 0 deletions
137
rules/integrations/aws/privilege_escalation_iam_inline_policy_added_to_group.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| [metadata] | ||
| creation_date = "2026/06/18" | ||
| integration = ["aws"] | ||
| maturity = "production" | ||
| updated_date = "2026/06/18" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies an inline policy added to an IAM group via PutGroupPolicy. An inline policy attached to a group grants its | ||
| permissions to every current and future member of that group. Adversaries can abuse this to escalate privileges (grant | ||
| elevated permissions to a group they belong to, or will add themselves to) and to establish persistence through a | ||
| durable, membership-based grant that is easy to overlook. Group inline policies are uncommon compared to managed-policy | ||
| attachments, so their creation by an unexpected principal warrants review. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Identity and platform teams and infrastructure-as-code pipelines occasionally manage group inline policies as part | ||
| of normal access governance. Verify the principal in `aws.cloudtrail.user_identity.arn`, the targeted group, and the | ||
| policy document against approved change records. Known administration roles and deployment automation can be | ||
| excluded after validation. | ||
| """, | ||
| ] | ||
| from = "now-6m" | ||
| index = ["logs-aws.cloudtrail-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "AWS IAM Inline Policy Added to a Group" | ||
| note = """## Triage and analysis | ||
|
|
||
| ### Investigating AWS IAM Inline Policy Added to a Group | ||
|
|
||
| `PutGroupPolicy` embeds an inline permissions policy directly on an IAM group. Because the policy applies to all members of the group, it is an effective way to broadly grant permissions — and, for an adversary, to escalate privileges or persist while drawing less attention than attaching a well-known managed policy such as `AdministratorAccess`. Group inline policies are relatively rare, which makes their creation a useful signal. | ||
|
|
||
| ### Possible investigation steps | ||
|
|
||
| - Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original` to determine how the change was made. | ||
| - Inspect `aws.cloudtrail.request_parameters` for the targeted `groupName`, the `policyName`, and the `policyDocument` to assess what permissions were granted (look for broad `Action`/`Resource` of `*`, IAM, or data-access permissions). | ||
| - Enumerate the group's current members to understand who immediately gains the new permissions, and whether the actor is or could become a member. | ||
| - Confirm whether the change aligns with an approved access request, onboarding, or deployment. | ||
| - Correlate with recent activity by the same principal, such as group creation, adding users to the group, or other IAM modifications that may form an escalation chain. | ||
|
|
||
| ### False positive analysis | ||
|
|
||
| - Approved access governance and infrastructure-as-code may add group inline policies. Confirm the change is expected and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. | ||
|
|
||
| ### Response and remediation | ||
|
|
||
| - If the change is unauthorized, remove the inline policy from the group (`DeleteGroupPolicy`) and review which members used the granted permissions while it was in place. | ||
| - Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:PutGroupPolicy` to a small set of trusted administrators. | ||
|
|
||
| ### Additional information | ||
|
|
||
| - [IAM identity-based policies (inline)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) | ||
| - [PutGroupPolicy API](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html) | ||
| """ | ||
| references = [ | ||
| "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html", | ||
| "https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "87f8141e-4275-4d49-9e76-d215b4614a0b" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Domain: Identity", | ||
| "Data Source: AWS", | ||
| "Data Source: Amazon Web Services", | ||
| "Data Source: AWS IAM", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Privilege Escalation", | ||
| "Tactic: Persistence", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| data_stream.dataset: "aws.cloudtrail" | ||
| and event.provider: "iam.amazonaws.com" | ||
| and event.action: "PutGroupPolicy" | ||
| and event.outcome: "success" | ||
| and not aws.cloudtrail.user_identity.type: "AWSService" | ||
| and not user_agent.original: (*terraform* or *pulumi* or *ansible*) | ||
| and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*) | ||
| and not source.as.organization.name: (Amazon* or AMAZON* or Google*) | ||
| and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1098" | ||
| name = "Account Manipulation" | ||
| reference = "https://attack.mitre.org/techniques/T1098/" | ||
|
|
||
|
bryans3c marked this conversation as resolved.
|
||
| [rule.threat.tactic] | ||
| id = "TA0004" | ||
| name = "Privilege Escalation" | ||
| reference = "https://attack.mitre.org/tactics/TA0004/" | ||
|
Copilot marked this conversation as resolved.
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1098" | ||
| name = "Account Manipulation" | ||
| reference = "https://attack.mitre.org/techniques/T1098/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1098.003" | ||
| name = "Additional Cloud Roles" | ||
| reference = "https://attack.mitre.org/techniques/T1098/003/" | ||
| [rule.threat.tactic] | ||
| id = "TA0003" | ||
| name = "Persistence" | ||
| reference = "https://attack.mitre.org/tactics/TA0003/" | ||
|
|
||
| [rule.investigation_fields] | ||
| field_names = [ | ||
| "@timestamp", | ||
| "user.name", | ||
| "user_agent.original", | ||
| "source.ip", | ||
| "aws.cloudtrail.user_identity.arn", | ||
| "aws.cloudtrail.user_identity.type", | ||
| "aws.cloudtrail.user_identity.access_key_id", | ||
| "aws.cloudtrail.user_identity.session_context.session_issuer.arn", | ||
| "aws.cloudtrail.request_parameters", | ||
| "aws.cloudtrail.response_elements", | ||
| "event.action", | ||
| "event.outcome", | ||
| "cloud.account.id", | ||
| "cloud.region", | ||
| ] | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.