data_sources/aws_cloudtrail_createpolicyversion.yml

name: AWS CloudTrail CreatePolicyVersion
id: f9f0f3da-37ec-4164-9ea0-0ae46645a86b
version: 2
date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs the creation of new versions of IAM policies, including changes
  to permissions and attached roles or resources.
mitre_components:
- Cloud Service Modification
- Cloud Service Metadata
- User Account Metadata
- Group Modification
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
separator_value: CreatePolicyVersion
supported_TA:
- name: Splunk Add-on for AWS
  url: https://splunkbase.splunk.com/app/1876
  version: 7.9.1
fields:
- _time
- action
- app
- awsRegion
- aws_account_id
- change_type
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- eventtype
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.policyArn
- requestParameters.policyDocument
- requestParameters.setAsDefault
- responseElements.policyVersion.createDate
- responseElements.policyVersion.isDefaultVersion
- responseElements.policyVersion.versionId
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- status
- tag
- tag::eventtype
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.principalId
- userIdentity.type
- userIdentity.userName
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
  "AIDAYTOGP2RLNMCDVJZAY", "arn": "arn:aws:iam::111111111111:user/rhino_escalate",
  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLHSQZPZFZ", "userName":
  "rhino_escalate"}, "eventTime": "2021-02-23T00:02:30Z", "eventSource": "iam.amazonaws.com",
  "eventName": "CreatePolicyVersion", "awsRegion": "us-east-1", "sourceIPAddress":
  "73.15.72.101", "userAgent": "aws-cli/2.0.62 Python/3.9.0 Darwin/19.6.0 source/x86_64
  command/iam.create-policy-version", "requestParameters": {"policyArn": "arn:aws:iam::111111111111:policy/rhino_escalate",
  "policyDocument": "{\n   \"Version\": \"2012-10-17\",\n   \"Statement\": [\n       {\n           \"Sid\":
  \"AllowEverything\",\n           \"Effect\": \"Allow\",\n           \"Action\":
  \"iam:*\",\n           \"Resource\": \"*\"\n       }\n    ]\n }", "setAsDefault":
  true}, "responseElements": {"policyVersion": {"versionId": "v2", "isDefaultVersion":
  true, "createDate": "Feb 23, 2021 12:02:30 AM"}}, "requestID": "fa42b4b2-f34a-4673-8f9f-b25cf1f5005a",
  "eventID": "33149175-90fd-4cff-a43b-408e4f848c1c", "readOnly": false, "eventType":
  "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
  "111111111111"}'
output_fields:
- dest
- user
- user_agent
- src
- vendor_account
- vendor_region
- vendor_product