Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AWS Security Hub - Detect IAM Policies allowing full administrative privileges

Back
Idde1f71d2-d127-439d-a8a2-e64d3187298a
RulenameAWS Security Hub - Detect IAM Policies allowing full administrative privileges
DescriptionThis query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.

Overly permissive policies increase the risk of privilege escalation and unauthorized access.
SeverityHigh
TacticsPersistence
PrivilegeEscalation
TechniquesT1098.003
T1078.001
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
Version1.0.0
Arm templatede1f71d2-d127-439d-a8a2-e64d3187298a.json
Deploy To Azure
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
  or tostring(ComplianceSecurityControlId) == "IAM.1"
| extend
  IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
  IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
  IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
| summarize TimeGenerated = max(TimeGenerated)
  by
  AwsAccountId,
  AwsRegion,
  AwsSecurityFindingTitle,
  AwsSecurityFindingDescription,
  AwsSecurityFindingId,
  ComplianceSecurityControlId,
  IAMPolicyId,
  IAMPolicyName,
  IAMPolicyDescription
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  // Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
    or tostring(ComplianceSecurityControlId) == "IAM.1"
  | extend
    IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
    IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
    IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
  | summarize TimeGenerated = max(TimeGenerated)
    by
    AwsAccountId,
    AwsRegion,
    AwsSecurityFindingTitle,
    AwsSecurityFindingDescription,
    AwsSecurityFindingId,
    ComplianceSecurityControlId,
    IAMPolicyId,
    IAMPolicyName,
    IAMPolicyDescription  
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
description: |
  This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.
  Overly permissive policies increase the risk of privilege escalation and unauthorized access.  
queryPeriod: 1h
triggerOperator: gt
tags:
- PCI DSS v3.2.1
- NIST 800-53 r5
- CIS AWS Foundations Benchmark v1.4.0
alertDetailsOverride:
  alertDisplayNameFormat: AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges
  alertDescriptionFormat: AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.
queryFrequency: 1h
version: 1.0.0
id: de1f71d2-d127-439d-a8a2-e64d3187298a
tactics:
- Persistence
- PrivilegeEscalation
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AwsAccountId
  - identifier: CloudAppAccountId
    columnName: AwsAccountId
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - AWSSecurityHubFindings
  connectorId: AWSSecurityHub
name: AWS Security Hub - Detect IAM Policies allowing full administrative privileges
severity: High
customDetails:
  FindingId: AwsSecurityFindingId
  Region: AwsRegion
  ComplianceControlId: ComplianceSecurityControlId
triggerThreshold: 0
kind: Scheduled
relevantTechniques:
- T1098.003
- T1078.001
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de1f71d2-d127-439d-a8a2-e64d3187298a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de1f71d2-d127-439d-a8a2-e64d3187298a')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.",
          "alertDisplayNameFormat": "AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges"
        },
        "alertRuleTemplateName": "de1f71d2-d127-439d-a8a2-e64d3187298a",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "Region": "AwsRegion"
        },
        "description": "This query detects AWS IAM policies that allow full administrative (\"*\") privileges in violation of AWS Security Hub control IAM.1.\nOverly permissive policies increase the risk of privilege escalation and unauthorized access.\n",
        "displayName": "AWS Security Hub - Detect IAM Policies allowing full administrative privileges",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "AwsAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml",
        "query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/IAM.1\"\n  or tostring(ComplianceSecurityControlId) == \"IAM.1\"\n| extend\n  IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),\n  IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),\n  IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)\n| summarize TimeGenerated = max(TimeGenerated)\n  by\n  AwsAccountId,\n  AwsRegion,\n  AwsSecurityFindingTitle,\n  AwsSecurityFindingDescription,\n  AwsSecurityFindingId,\n  ComplianceSecurityControlId,\n  IAMPolicyId,\n  IAMPolicyName,\n  IAMPolicyDescription\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1098.003",
          "T1078.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "tags": [
          "PCI DSS v3.2.1",
          "NIST 800-53 r5",
          "CIS AWS Foundations Benchmark v1.4.0"
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}