Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWS Security Hub - Detect IAM Policies allowing full administrative privileges

AWS Security Hub - Detect IAM Policies allowing full administrative privileges

Back
Idde1f71d2-d127-439d-a8a2-e64d3187298a
RulenameAWS Security Hub - Detect IAM Policies allowing full administrative privileges
DescriptionThis query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.

Overly permissive policies increase the risk of privilege escalation and unauthorized access.
SeverityHigh
TacticsPersistence
PrivilegeEscalation
TechniquesT1098.003
T1078.001
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
Version1.0.0
Arm templatede1f71d2-d127-439d-a8a2-e64d3187298a.json
Deploy To Azure
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
  or tostring(ComplianceSecurityControlId) == "IAM.1"
| extend
  IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
  IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
  IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
| summarize TimeGenerated = max(TimeGenerated)
  by
  AwsAccountId,
  AwsRegion,
  AwsSecurityFindingTitle,
  AwsSecurityFindingDescription,
  AwsSecurityFindingId,
  ComplianceSecurityControlId,
  IAMPolicyId,
  IAMPolicyName,
  IAMPolicyDescription

kind: Scheduled
customDetails:
  ComplianceControlId: ComplianceSecurityControlId
  FindingId: AwsSecurityFindingId
  Region: AwsRegion
alertDetailsOverride:
  alertDisplayNameFormat: AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges
  alertDescriptionFormat: AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AwsAccountId
    identifier: Name
  - columnName: AwsAccountId
    identifier: CloudAppAccountId
description: |
  This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.
  Overly permissive policies increase the risk of privilege escalation and unauthorized access.  
severity: High
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1098.003
- T1078.001
tags:
- PCI DSS v3.2.1
- NIST 800-53 r5
- CIS AWS Foundations Benchmark v1.4.0
status: Available
tactics:
- Persistence
- PrivilegeEscalation
name: AWS Security Hub - Detect IAM Policies allowing full administrative privileges
id: de1f71d2-d127-439d-a8a2-e64d3187298a
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  // Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
    or tostring(ComplianceSecurityControlId) == "IAM.1"
  | extend
    IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
    IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
    IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
  | summarize TimeGenerated = max(TimeGenerated)
    by
    AwsAccountId,
    AwsRegion,
    AwsSecurityFindingTitle,
    AwsSecurityFindingDescription,
    AwsSecurityFindingId,
    ComplianceSecurityControlId,
    IAMPolicyId,
    IAMPolicyName,
    IAMPolicyDescription  
requiredDataConnectors:
- dataTypes:
  - AWSSecurityHubFindings
  connectorId: AWSSecurityHub
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
queryPeriod: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de1f71d2-d127-439d-a8a2-e64d3187298a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de1f71d2-d127-439d-a8a2-e64d3187298a')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.",
          "alertDisplayNameFormat": "AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges"
        },
        "alertRuleTemplateName": "de1f71d2-d127-439d-a8a2-e64d3187298a",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "Region": "AwsRegion"
        },
        "description": "This query detects AWS IAM policies that allow full administrative (\"*\") privileges in violation of AWS Security Hub control IAM.1.\nOverly permissive policies increase the risk of privilege escalation and unauthorized access.\n",
        "displayName": "AWS Security Hub - Detect IAM Policies allowing full administrative privileges",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "AwsAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml",
        "query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/IAM.1\"\n  or tostring(ComplianceSecurityControlId) == \"IAM.1\"\n| extend\n  IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),\n  IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),\n  IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)\n| summarize TimeGenerated = max(TimeGenerated)\n  by\n  AwsAccountId,\n  AwsRegion,\n  AwsSecurityFindingTitle,\n  AwsSecurityFindingDescription,\n  AwsSecurityFindingId,\n  ComplianceSecurityControlId,\n  IAMPolicyId,\n  IAMPolicyName,\n  IAMPolicyDescription\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1098.003",
          "T1078.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "tags": [
          "PCI DSS v3.2.1",
          "NIST 800-53 r5",
          "CIS AWS Foundations Benchmark v1.4.0"
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}