AWS Detect Role Creation
This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.
AWS Detect Role Creation Help
You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs
Open in Search