Creating a new IAM user







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




An attacker with access to your AWS account can create an IAM user to escalate their privileges and persist in your environment.

Understanding Impact

Business Impact

When an attacker creates an IAM user in your environment, they may continue to have access to your environment for an extended period of time even when the root cause of the breach is identified and fixed.

Technical Impact

Attackers typically attempt to create IAM users, assign them a privileged IAM policy, and generate access keys for the newly created user.


You can detect when a new IAM user is created using the CloudTrail event CreateUser.

After creating an IAM user, attackers frequently attach a policy to it (AttachUserPolicy) and create access keys (CreateAccessKey) or login profiles (CreateLoginProfile).

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.persistence.iam-create-admin-user

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "AWS IAM privileged policy was applied to a user".


Create an administrative IAM User

From CLI to console, chasing an attacker in AWS

Anatomy of an Attack: Exposed keys to Crypto Mining

A case study of Cloud compromise

M-Trends 2021 (page 73)

Sample incident

Hunting for signs of persistence in the cloud

Did you find this article helpful?