AWS Security Hub - Detect IAM Policies allowing full administrative privileges
| Id | de1f71d2-d127-439d-a8a2-e64d3187298a |
| Rulename | AWS Security Hub - Detect IAM Policies allowing full administrative privileges |
| Description | This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1. Overly permissive policies increase the risk of privilege escalation and unauthorized access. |
| Severity | High |
| Tactics | Persistence PrivilegeEscalation |
| Techniques | T1098.003 T1078.001 |
| Required data connectors | AWSSecurityHub |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml |
| Version | 1.0.0 |
| Arm template | de1f71d2-d127-439d-a8a2-e64d3187298a.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
or tostring(ComplianceSecurityControlId) == "IAM.1"
| extend
IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
IAMPolicyName = tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
| summarize TimeGenerated = max(TimeGenerated)
by
AwsAccountId,
AwsRegion,
AwsSecurityFindingTitle,
AwsSecurityFindingDescription,
AwsSecurityFindingId,
ComplianceSecurityControlId,
IAMPolicyId,
IAMPolicyName,
IAMPolicyDescription
triggerThreshold: 0
queryFrequency: 1h
description: |
This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.
Overly permissive policies increase the risk of privilege escalation and unauthorized access.
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
or tostring(ComplianceSecurityControlId) == "IAM.1"
| extend
IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
IAMPolicyName = tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
| summarize TimeGenerated = max(TimeGenerated)
by
AwsAccountId,
AwsRegion,
AwsSecurityFindingTitle,
AwsSecurityFindingDescription,
AwsSecurityFindingId,
ComplianceSecurityControlId,
IAMPolicyId,
IAMPolicyName,
IAMPolicyDescription
tags:
- PCI DSS v3.2.1
- NIST 800-53 r5
- CIS AWS Foundations Benchmark v1.4.0
customDetails:
FindingId: AwsSecurityFindingId
Region: AwsRegion
ComplianceControlId: ComplianceSecurityControlId
alertDetailsOverride:
alertDescriptionFormat: AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.
alertDisplayNameFormat: AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges
severity: High
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AwsAccountId
- identifier: CloudAppAccountId
columnName: AwsAccountId
entityType: Account
version: 1.0.0
id: de1f71d2-d127-439d-a8a2-e64d3187298a
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
name: AWS Security Hub - Detect IAM Policies allowing full administrative privileges
requiredDataConnectors:
- connectorId: AWSSecurityHub
dataTypes:
- AWSSecurityHubFindings
relevantTechniques:
- T1098.003
- T1078.001
triggerOperator: gt
tactics:
- Persistence
- PrivilegeEscalation
kind: Scheduled
queryPeriod: 1h