AWS Iam Assume Role Policy Brute Force

AWS Iam Assume Role Policy Brute Force


The following detection identifies any malformed policy document exceptions with a status of failure. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like arn:aws:iam::111111111111:role/aws-service-role/ Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing.


AWS Iam Assume Role Policy Brute Force Help

The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. Set the where count greater than a value to identify suspicious activity in your environment.


Open in Search