An attacker with access to your AWS account can create an IAM user to escalate their privileges and persist in your environment.
When an attacker creates an IAM user in your environment, they may continue to have access to your environment for an extended period of time even when the root cause of the breach is identified and fixed.
Attackers typically attempt to create IAM users, assign them a privileged IAM policy, and generate access keys for the newly created user.
You can detect when a new IAM user is created using the CloudTrail event
After creating an IAM user, attackers frequently attach a policy to it (
AttachUserPolicy) and create access keys (
CreateAccessKey) or login profiles (
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.persistence.iam-create-admin-user
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "AWS IAM privileged policy was applied to a user".
Create an administrative IAM User
From CLI to console, chasing an attacker in AWS
Anatomy of an Attack: Exposed keys to Crypto Mining
A case study of Cloud compromise
M-Trends 2021 (page 73)
Hunting for signs of persistence in the cloud