AWS Security Hub - Detect IAM Policies allowing full administrative privileges

Back


Id	de1f71d2-d127-439d-a8a2-e64d3187298a
Rulename	AWS Security Hub - Detect IAM Policies allowing full administrative privileges
Description	This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1. Overly permissive policies increase the risk of privilege escalation and unauthorized access.
Severity	High
Tactics	Persistence PrivilegeEscalation
Techniques	T1098.003 T1078.001
Required data connectors	AWSSecurityHub
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
Version	1.0.0
Arm template	de1f71d2-d127-439d-a8a2-e64d3187298a.json

KQL

AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
  or tostring(ComplianceSecurityControlId) == "IAM.1"
| extend
  IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
  IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
  IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
| summarize TimeGenerated = max(TimeGenerated)
  by
  AwsAccountId,
  AwsRegion,
  AwsSecurityFindingTitle,
  AwsSecurityFindingDescription,
  AwsSecurityFindingId,
  ComplianceSecurityControlId,
  IAMPolicyId,
  IAMPolicyName,
  IAMPolicyDescription

YAML

name: AWS Security Hub - Detect IAM Policies allowing full administrative privileges
alertDetailsOverride:
  alertDisplayNameFormat: AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges
  alertDescriptionFormat: AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.
id: de1f71d2-d127-439d-a8a2-e64d3187298a
description: |
  This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.
  Overly permissive policies increase the risk of privilege escalation and unauthorized access.  
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: AwsAccountId
    identifier: Name
  - columnName: AwsAccountId
    identifier: CloudAppAccountId
  entityType: Account
version: 1.0.0
triggerOperator: gt
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  // Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
    or tostring(ComplianceSecurityControlId) == "IAM.1"
  | extend
    IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
    IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
    IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
  | summarize TimeGenerated = max(TimeGenerated)
    by
    AwsAccountId,
    AwsRegion,
    AwsSecurityFindingTitle,
    AwsSecurityFindingDescription,
    AwsSecurityFindingId,
    ComplianceSecurityControlId,
    IAMPolicyId,
    IAMPolicyName,
    IAMPolicyDescription  
tactics:
- Persistence
- PrivilegeEscalation
kind: Scheduled
queryFrequency: 1h
tags:
- PCI DSS v3.2.1
- NIST 800-53 r5
- CIS AWS Foundations Benchmark v1.4.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
severity: High
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - AWSSecurityHubFindings
  connectorId: AWSSecurityHub
status: Available
customDetails:
  FindingId: AwsSecurityFindingId
  ComplianceControlId: ComplianceSecurityControlId
  Region: AwsRegion
relevantTechniques:
- T1098.003
- T1078.001

ARM