Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWS Security Hub - Detect IAM Policies allowing full administrative privileges

AWS Security Hub - Detect IAM Policies allowing full administrative privileges

Back
Idde1f71d2-d127-439d-a8a2-e64d3187298a
RulenameAWS Security Hub - Detect IAM Policies allowing full administrative privileges
DescriptionThis query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.

Overly permissive policies increase the risk of privilege escalation and unauthorized access.
SeverityHigh
TacticsPersistence
PrivilegeEscalation
TechniquesT1098.003
T1078.001
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
Version1.0.0
Arm templatede1f71d2-d127-439d-a8a2-e64d3187298a.json
Deploy To Azure
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
  or tostring(ComplianceSecurityControlId) == "IAM.1"
| extend
  IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
  IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
  IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
| summarize TimeGenerated = max(TimeGenerated)
  by
  AwsAccountId,
  AwsRegion,
  AwsSecurityFindingTitle,
  AwsSecurityFindingDescription,
  AwsSecurityFindingId,
  ComplianceSecurityControlId,
  IAMPolicyId,
  IAMPolicyName,
  IAMPolicyDescription

tactics:
- Persistence
- PrivilegeEscalation
name: AWS Security Hub - Detect IAM Policies allowing full administrative privileges
id: de1f71d2-d127-439d-a8a2-e64d3187298a
requiredDataConnectors:
- connectorId: AWSSecurityHub
  dataTypes:
  - AWSSecurityHubFindings
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  // Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
    or tostring(ComplianceSecurityControlId) == "IAM.1"
  | extend
    IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
    IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
    IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
  | summarize TimeGenerated = max(TimeGenerated)
    by
    AwsAccountId,
    AwsRegion,
    AwsSecurityFindingTitle,
    AwsSecurityFindingDescription,
    AwsSecurityFindingId,
    ComplianceSecurityControlId,
    IAMPolicyId,
    IAMPolicyName,
    IAMPolicyDescription  
relevantTechniques:
- T1098.003
- T1078.001
description: |
  This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.
  Overly permissive policies increase the risk of privilege escalation and unauthorized access.  
triggerOperator: gt
queryPeriod: 1h
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AwsAccountId
  - identifier: CloudAppAccountId
    columnName: AwsAccountId
  entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges
  alertDescriptionFormat: AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.
triggerThreshold: 0
tags:
- PCI DSS v3.2.1
- NIST 800-53 r5
- CIS AWS Foundations Benchmark v1.4.0
kind: Scheduled
queryFrequency: 1h
status: Available
customDetails:
  ComplianceControlId: ComplianceSecurityControlId
  Region: AwsRegion
  FindingId: AwsSecurityFindingId

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de1f71d2-d127-439d-a8a2-e64d3187298a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de1f71d2-d127-439d-a8a2-e64d3187298a')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.",
          "alertDisplayNameFormat": "AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges"
        },
        "alertRuleTemplateName": "de1f71d2-d127-439d-a8a2-e64d3187298a",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "Region": "AwsRegion"
        },
        "description": "This query detects AWS IAM policies that allow full administrative (\"*\") privileges in violation of AWS Security Hub control IAM.1.\nOverly permissive policies increase the risk of privilege escalation and unauthorized access.\n",
        "displayName": "AWS Security Hub - Detect IAM Policies allowing full administrative privileges",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "AwsAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml",
        "query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/IAM.1\"\n  or tostring(ComplianceSecurityControlId) == \"IAM.1\"\n| extend\n  IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),\n  IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),\n  IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)\n| summarize TimeGenerated = max(TimeGenerated)\n  by\n  AwsAccountId,\n  AwsRegion,\n  AwsSecurityFindingTitle,\n  AwsSecurityFindingDescription,\n  AwsSecurityFindingId,\n  ComplianceSecurityControlId,\n  IAMPolicyId,\n  IAMPolicyName,\n  IAMPolicyDescription\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1098.003",
          "T1078.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "tags": [
          "PCI DSS v3.2.1",
          "NIST 800-53 r5",
          "CIS AWS Foundations Benchmark v1.4.0"
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}