Creating a new IAM user

PLATFORM

SERVICE

iam

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

high

About

An attacker with access to your AWS account can create an IAM user to escalate their privileges and persist in your environment.

Understanding Impact

Business Impact

When an attacker creates an IAM user in your environment, they may continue to have access to your environment for an extended period of time even when the root cause of the breach is identified and fixed.

Technical Impact

Attackers typically attempt to create IAM users, assign them a privileged IAM policy, and generate access keys for the newly created user.

Detection

You can detect when a new IAM user is created using the CloudTrail event CreateUser.

After creating an IAM user, attackers frequently attach a policy to it (AttachUserPolicy) and create access keys (CreateAccessKey) or login profiles (CreateLoginProfile).

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.persistence.iam-create-admin-user

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "AWS IAM privileged policy was applied to a user".

References

Create an administrative IAM User

stratus-red-team.cloud

From CLI to console, chasing an attacker in AWS

expel.com

Anatomy of an Attack: Exposed keys to Crypto Mining

permiso.io

A case study of Cloud compromise

blog.darklab.hk

M-Trends 2021 (page 73)

mandiant.com

Sample incident

pdpc.gov.sg

Hunting for signs of persistence in the cloud

wiz.io

Did you find this article helpful?