Skip to content

New detections for AWS IAM privilege escalation#6018

Open
privet-username wants to merge 3 commits into
SigmaHQ:masterfrom
privet-username:detections_aws_iam
Open

New detections for AWS IAM privilege escalation#6018
privet-username wants to merge 3 commits into
SigmaHQ:masterfrom
privet-username:detections_aws_iam

Conversation

@privet-username

@privet-username privet-username commented May 16, 2026

Copy link
Copy Markdown

Summary of the Pull Request

This pull request addes three new AWS CloudTrail detection rules focused on IAM Privilege Escalation techniques:

  1. AWS IAM Critical Managed Policy Attachment: Detects the attachment of highly privileged AWS-managed policies (AdministratorAccess, PowerUserAccess, IAMFullAccess) to IAM users, roles, or groups.
  2. AWS IAM Privileged Inline Policy Creation or Modification: Tracks both the initial creation and the subsequent updates (Put*Policy upserts) of inline policies that plant wildcard "*" administrative rights directly into identities.
  3. AWS IAM Customer Managed Policy Version Created or Default Version Set: A consolidated rule that detects stealthy version-based privilege escalation. It triggers when a new privileged version is created as default, or when an identity rolls back to an older, potentially highly privileged policy version.

Changelog

new: AWS IAM Critical Managed Policy Attachment
new: AWS IAM Privileged Inline Policy Creation
new: AWS IAM Customer Managed Policy Version Created or Default Version Set

Example Log Event

N/A

Fixed Issues

None.

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review labels May 16, 2026
swachchhanda000
swachchhanda000 reviewed May 29, 2026
View reviewed changes

@swachchhanda000 swachchhanda000 left a comment
edited
Loading

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @privet-username,

Thanks for the submission. Right now, these detections still need supporting evidence/examples before we can review them with confidence.

We want to avoid merging rules that are based mainly on plausible descriptions or assumed event fields which are mostly AI generated without showing how they map to actual CloudTrail logs without any testing/validation in the test environment or derived from some research blog posts.

Please add supporting material such as:

raw or sanitized example logs
production testing/validation stats/screenshots
blog posts or references
Exact AWS docs supporting the exact fields used

I’m not closing this PR for now, but we’d need that context before moving forward.

Please treat this as a general expectation for future submissions too: fewer well-supported rules are preferable to more rules that are hard to verify.
We are doing these bcz there are too many AI slops PRs these days

Thanks.

@swachchhanda000 swachchhanda000 added the Author Input Required changes the require information from original author of the rules label May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swachchhanda000 swachchhanda000 swachchhanda000 left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Author Input Required changes the require information from original author of the rules Review Needed The PR requires review Rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@privet-username @swachchhanda000