AWS Iam Assume Role Policy Brute Force

AWS Iam Assume Role Policy Brute Force

Description

The following detection identifies any malformed policy document exceptions with a status of failure. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing.

   Help

AWS Iam Assume Role Policy Brute Force Help

The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. Set the where count greater than a value to identify suspicious activity in your environment.

   Search

Open in Search