AWS Security Hub - Detect IAM Policies allowing full administrative privileges

Back


Id	de1f71d2-d127-439d-a8a2-e64d3187298a
Rulename	AWS Security Hub - Detect IAM Policies allowing full administrative privileges
Description	This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1. Overly permissive policies increase the risk of privilege escalation and unauthorized access.
Severity	High
Tactics	Persistence PrivilegeEscalation
Techniques	T1098.003 T1078.001
Required data connectors	AWSSecurityHub
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
Version	1.0.0
Arm template	de1f71d2-d127-439d-a8a2-e64d3187298a.json

KQL

AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
// Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
  or tostring(ComplianceSecurityControlId) == "IAM.1"
| extend
  IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
  IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
  IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
| summarize TimeGenerated = max(TimeGenerated)
  by
  AwsAccountId,
  AwsRegion,
  AwsSecurityFindingTitle,
  AwsSecurityFindingDescription,
  AwsSecurityFindingId,
  ComplianceSecurityControlId,
  IAMPolicyId,
  IAMPolicyName,
  IAMPolicyDescription

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/IAMPolicyWithFullAdminPriv.yaml
queryPeriod: 1h
kind: Scheduled
name: AWS Security Hub - Detect IAM Policies allowing full administrative privileges
status: Available
customDetails:
  ComplianceControlId: ComplianceSecurityControlId
  FindingId: AwsSecurityFindingId
  Region: AwsRegion
entityMappings:
- fieldMappings:
  - columnName: AwsAccountId
    identifier: Name
  - columnName: AwsAccountId
    identifier: CloudAppAccountId
  entityType: Account
alertDetailsOverride:
  alertDescriptionFormat: AWS Account {{AwsAccountId}} has IAM Policy {{IAMPolicyId}} with full administrative privileges.
  alertDisplayNameFormat: AWS Account {{AwsAccountId}} has IAM Policy with full administrative privileges
tactics:
- Persistence
- PrivilegeEscalation
description: |
  This query detects AWS IAM policies that allow full administrative ("*") privileges in violation of AWS Security Hub control IAM.1.
  Overly permissive policies increase the risk of privilege escalation and unauthorized access.  
severity: High
tags:
- PCI DSS v3.2.1
- NIST 800-53 r5
- CIS AWS Foundations Benchmark v1.4.0
requiredDataConnectors:
- connectorId: AWSSecurityHub
  dataTypes:
  - AWSSecurityHubFindings
queryFrequency: 1h
triggerThreshold: 0
version: 1.0.0
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  // Match Security Hub control IAM.1 by GeneratorId or explicit SecurityControlId/Title
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/IAM.1"
    or tostring(ComplianceSecurityControlId) == "IAM.1"
  | extend
    IAMPolicyId = tostring(Resources[0].Details.AwsIamPolicy.PolicyId),
    IAMPolicyName =  tostring(Resources[0].Details.AwsIamPolicy.PolicyName),
    IAMPolicyDescription = tostring(Resources[0].Details.AwsIamPolicy.Description)
  | summarize TimeGenerated = max(TimeGenerated)
    by
    AwsAccountId,
    AwsRegion,
    AwsSecurityFindingTitle,
    AwsSecurityFindingDescription,
    AwsSecurityFindingId,
    ComplianceSecurityControlId,
    IAMPolicyId,
    IAMPolicyName,
    IAMPolicyDescription  
relevantTechniques:
- T1098.003
- T1078.001
id: de1f71d2-d127-439d-a8a2-e64d3187298a
triggerOperator: gt

ARM