Change to IAM User Policy Configuration

Overview

This detector will create an issue when one or more policies that apply to an IAM user are added or removed.

One or more of the following CloudTrail events will trigger this issue for an IAM user:

Adding or updating an inline policy:'PutUserPolicy'
Deleting an inline policy: 'DeleteUserPolicy'
Attaching a managed policy: 'AttachUserPolicy'
Detaching a managed policy: 'DetachUserPolicy'

Note that changes to the content of managed policies are not monitored by this detector, nor are any changes to policies that apply to the groups this user is a member of. Issues are automatically resolved after a configurable duration so that future changes to the policy configuration for this user will create new issues, periodically.

This could be an indicator of privilege escalation in your environment, if not expected. Group policies can deny or allow access, so you should pay close attention to any changes.

Vendor

AWS

Overview​

Vendor​

Severity​

Overview

Vendor

Severity