From bddc9ccfcb9e33273b1676420a21c0bdde0ca689 Mon Sep 17 00:00:00 2001 From: bryans3c Date: Thu, 18 Jun 2026 13:17:01 +0200 Subject: [PATCH 1/6] [New Rule] AWS IAM Account Password Policy Deleted --- ...n_iam_account_password_policy_deleted.toml | 128 ++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml diff --git a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml new file mode 100644 index 00000000000..936eba6eeed --- /dev/null +++ b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml @@ -0,0 +1,128 @@ +[metadata] +creation_date = "2026/06/18" +integration = ["aws"] +maturity = "production" +updated_date = "2026/06/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies deletion of the AWS account password policy via DeleteAccountPasswordPolicy. The account password policy +enforces minimum password requirements (length, complexity, rotation, and reuse) for all IAM users in the account. +Deleting it removes those requirements account-wide, weakening authentication and easing follow-on credential-based +attacks. This is an account-level change that legitimately occurs only during deliberate administration, so its deletion +by an unexpected principal warrants review. +""" +false_positives = [ + """ + Identity and platform teams or infrastructure-as-code may delete or replace the account password policy during + governance changes. Verify the principal in `aws.cloudtrail.user_identity.arn` against approved change records, and + confirm whether a replacement policy was applied shortly after. Known administration roles and automation can be + excluded after validation. + """, +] +from = "now-6m" +index = ["logs-aws.cloudtrail-*"] +language = "kuery" +license = "Elastic License v2" +name = "AWS IAM Account Password Policy Deleted" +note = """## Triage and analysis + +### Investigating AWS IAM Account Password Policy Deleted + +The account password policy is an account-wide control that sets minimum password length, character complexity, maximum +age, and reuse-prevention for all IAM users. `DeleteAccountPasswordPolicy` removes it entirely, reverting the account to +no enforced password requirements — which weakens authentication and can facilitate credential attacks or mask weak +credentials created later. Because this is a single, account-level, high-impact change, it should be deliberate and rare. + +#### Possible investigation steps + +- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and + `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original`. +- Determine whether a replacement policy was set shortly after (`UpdateAccountPasswordPolicy`) or whether the account was + left with no policy. +- Confirm whether the change aligns with an approved governance change. +- Correlate with recent activity by the same principal, such as creation of IAM users or login profiles, or other + defense-evasion actions (CloudTrail/logging changes) that may indicate a broader effort to weaken controls. + +### False positive analysis + +- Approved governance or infrastructure-as-code may delete/replace the policy. Confirm the change is expected and + exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. +- Note: AWS GuardDuty also surfaces account password policy changes via `Stealth:IAMUser/PasswordPolicyChange`; correlate + if GuardDuty is enabled. + +### Response and remediation + +- If the deletion is unauthorized, restore an appropriate account password policy (`UpdateAccountPasswordPolicy`) that + meets your organization's standards, and review any IAM users or login profiles created while no policy was enforced. +- Rotate or restrict credentials for the principal if compromise is suspected, and constrain + `iam:DeleteAccountPasswordPolicy` and `iam:UpdateAccountPasswordPolicy` to a small set of trusted administrators. + +### Additional information + +- [Account password policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) +- [DeleteAccountPasswordPolicy API](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountPasswordPolicy.html) +""" +references = [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountPasswordPolicy.html", +] +risk_score = 47 +rule_id = "283f6c2a-9811-4239-9a40-52b066c67f99" +severity = "medium" +tags = [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: "aws.cloudtrail" + and event.provider: "iam.amazonaws.com" + and event.action: "DeleteAccountPasswordPolicy" + and event.outcome: "success" + and not aws.cloudtrail.user_identity.type: "AWSService" + and not aws.cloudtrail.user_identity.arn: arn*/terraform + and not source.as.organization.name: (Amazon* or Google*) + and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.user_identity.session_context.session_issuer.arn", + "aws.cloudtrail.request_parameters", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", +] + From a31366898bef3a738065165cbc7897a4a407fa5f Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Thu, 18 Jun 2026 15:43:39 +0200 Subject: [PATCH 2/6] Update defense_evasion_iam_account_password_policy_deleted.toml --- ...n_iam_account_password_policy_deleted.toml | 26 ++++++------------- 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml index 936eba6eeed..c694b975bc2 100644 --- a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml +++ b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml @@ -30,34 +30,24 @@ note = """## Triage and analysis ### Investigating AWS IAM Account Password Policy Deleted -The account password policy is an account-wide control that sets minimum password length, character complexity, maximum -age, and reuse-prevention for all IAM users. `DeleteAccountPasswordPolicy` removes it entirely, reverting the account to -no enforced password requirements — which weakens authentication and can facilitate credential attacks or mask weak -credentials created later. Because this is a single, account-level, high-impact change, it should be deliberate and rare. +The account password policy is an account-wide control that sets minimum password length, character complexity, maximum age, and reuse-prevention for all IAM users. `DeleteAccountPasswordPolicy` removes it entirely, reverting the account to no enforced password requirements — which weakens authentication and can facilitate credential attacks or mask weak credentials created later. Because this is a single, account-level, high-impact change, it should be deliberate and rare. #### Possible investigation steps -- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and - `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original`. -- Determine whether a replacement policy was set shortly after (`UpdateAccountPasswordPolicy`) or whether the account was - left with no policy. +- Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original`. +- Determine whether a replacement policy was set shortly after (`UpdateAccountPasswordPolicy`) or whether the account was left with no policy. - Confirm whether the change aligns with an approved governance change. -- Correlate with recent activity by the same principal, such as creation of IAM users or login profiles, or other - defense-evasion actions (CloudTrail/logging changes) that may indicate a broader effort to weaken controls. +- Correlate with recent activity by the same principal, such as creation of IAM users or login profiles, or other defense-evasion actions (CloudTrail/logging changes) that may indicate a broader effort to weaken controls. ### False positive analysis -- Approved governance or infrastructure-as-code may delete/replace the policy. Confirm the change is expected and - exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. -- Note: AWS GuardDuty also surfaces account password policy changes via `Stealth:IAMUser/PasswordPolicyChange`; correlate - if GuardDuty is enabled. +- Approved governance or infrastructure-as-code may delete/replace the policy. Confirm the change is expected and exclude known administration roles or automation on `aws.cloudtrail.user_identity.arn` after validation. +- Note: AWS GuardDuty also surfaces account password policy changes via `Stealth:IAMUser/PasswordPolicyChange`; correlate if GuardDuty is enabled. ### Response and remediation -- If the deletion is unauthorized, restore an appropriate account password policy (`UpdateAccountPasswordPolicy`) that - meets your organization's standards, and review any IAM users or login profiles created while no policy was enforced. -- Rotate or restrict credentials for the principal if compromise is suspected, and constrain - `iam:DeleteAccountPasswordPolicy` and `iam:UpdateAccountPasswordPolicy` to a small set of trusted administrators. +- If the deletion is unauthorized, restore an appropriate account password policy (`UpdateAccountPasswordPolicy`) that meets your organization's standards, and review any IAM users or login profiles created while no policy was enforced. +- Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:DeleteAccountPasswordPolicy` and `iam:UpdateAccountPasswordPolicy` to a small set of trusted administrators. ### Additional information From d67bb455eb425b6e3704fbd30b7b42121eb35e8e Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:12:18 +0200 Subject: [PATCH 3/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../aws/defense_evasion_iam_account_password_policy_deleted.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml index c694b975bc2..44149c7e44d 100644 --- a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml +++ b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml @@ -81,7 +81,6 @@ event.dataset: "aws.cloudtrail" and event.outcome: "success" and not aws.cloudtrail.user_identity.type: "AWSService" and not aws.cloudtrail.user_identity.arn: arn*/terraform - and not source.as.organization.name: (Amazon* or Google*) and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") ''' From 3d3f77eb3efe6b99e7df2b70ab1427984534d327 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 19 Jun 2026 15:12:28 +0200 Subject: [PATCH 4/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- ...efense_evasion_iam_account_password_policy_deleted.toml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml index 44149c7e44d..2aa6202929d 100644 --- a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml +++ b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml @@ -88,10 +88,9 @@ event.dataset: "aws.cloudtrail" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1562" -name = "Impair Defenses" -reference = "https://attack.mitre.org/techniques/T1562/" - +id = "T1556" +name = "Modify Authentication Process" +reference = "https://attack.mitre.org/techniques/T1556/" [rule.threat.tactic] id = "TA0005" From 2d5d72180414fa010d75e9ab5a05854fbe768d63 Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 26 Jun 2026 15:11:07 +0200 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...se_evasion_iam_account_password_policy_deleted.toml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml index 2aa6202929d..3e2d4e4c561 100644 --- a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml +++ b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml @@ -32,7 +32,7 @@ note = """## Triage and analysis The account password policy is an account-wide control that sets minimum password length, character complexity, maximum age, and reuse-prevention for all IAM users. `DeleteAccountPasswordPolicy` removes it entirely, reverting the account to no enforced password requirements — which weakens authentication and can facilitate credential attacks or mask weak credentials created later. Because this is a single, account-level, high-impact change, it should be deliberate and rare. -#### Possible investigation steps +### Possible investigation steps - Identify the actor in `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and `aws.cloudtrail.user_identity.session_context.session_issuer.arn`, and review `source.ip` / `user_agent.original`. - Determine whether a replacement policy was set shortly after (`UpdateAccountPasswordPolicy`) or whether the account was left with no policy. @@ -49,10 +49,6 @@ The account password policy is an account-wide control that sets minimum passwor - If the deletion is unauthorized, restore an appropriate account password policy (`UpdateAccountPasswordPolicy`) that meets your organization's standards, and review any IAM users or login profiles created while no policy was enforced. - Rotate or restrict credentials for the principal if compromise is suspected, and constrain `iam:DeleteAccountPasswordPolicy` and `iam:UpdateAccountPasswordPolicy` to a small set of trusted administrators. -### Additional information - -- [Account password policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) -- [DeleteAccountPasswordPolicy API](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccountPasswordPolicy.html) """ references = [ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", @@ -75,12 +71,12 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset: "aws.cloudtrail" +data_stream.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "DeleteAccountPasswordPolicy" and event.outcome: "success" and not aws.cloudtrail.user_identity.type: "AWSService" - and not aws.cloudtrail.user_identity.arn: arn*/terraform + and not aws.cloudtrail.user_identity.arn: *terraform* and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") ''' From e1e7f117dfea0f89e2a7349f1efbb43fccc9a95b Mon Sep 17 00:00:00 2001 From: Bryan Porras Date: Fri, 26 Jun 2026 15:12:15 +0200 Subject: [PATCH 6/6] Update defense_evasion_iam_account_password_policy_deleted.toml --- .../defense_evasion_iam_account_password_policy_deleted.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml index 3e2d4e4c561..02b695ae40b 100644 --- a/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml +++ b/rules/integrations/aws/defense_evasion_iam_account_password_policy_deleted.toml @@ -76,7 +76,8 @@ data_stream.dataset: "aws.cloudtrail" and event.action: "DeleteAccountPasswordPolicy" and event.outcome: "success" and not aws.cloudtrail.user_identity.type: "AWSService" - and not aws.cloudtrail.user_identity.arn: *terraform* + and not user_agent.original: (*terraform* or *pulumi* or *ansible*) + and not aws.cloudtrail.user_identity.arn: (*terraform* or *pulumi* or *ansible*) and not source.address: ("cloudformation.amazonaws.com" or "servicecatalog.amazonaws.com") '''