cscli scenarios install crowdsecurity/aws-cis-benchmark-iam-policy-change
Detects AWS IAM policy changes (Section 4.4 of CIS AWS Foundation Benchmark 1.4.0 ).
1type: trigger2name: crowdsecurity/aws-cis-benchmark-iam-policy-change3description: "Detect AWS IAM policy change"4filter: |5 evt.Meta.log_type == 'aws-cloudtrail' &&6 (7 evt.Meta.event_name == "DeleteGroupPolicy" ||8 evt.Meta.event_name == "DeleteRolePolicy" ||9 evt.Meta.event_name == "DeleteUserPolicy" ||10 evt.Meta.event_name == "PutGroupPolicy" ||11 evt.Meta.event_name == "PutRolePolicy" ||12 evt.Meta.event_name == "PutUserPolicy" ||13 evt.Meta.event_name == "CreatePolicy" ||14 evt.Meta.event_name == "DeletePolicy" ||15 evt.Meta.event_name == "CreatePolicyVersion" ||16 evt.Meta.event_name == "DeletePolicyVersion" ||17 evt.Meta.event_name == "AttachRolePolicy" ||18 evt.Meta.event_name == "DetachRolePolicy" ||19 evt.Meta.event_name == "AttachUserPolicy" ||20 evt.Meta.event_name == "DetachUserPolicy" ||21 evt.Meta.event_name == "AttachGroupPolicy" ||22 evt.Meta.event_name == "DetachGroupPolicy"23 )24labels:25 confidence: 326 spoofable: 027 classification:28 - attack.T1098.00329 behavior: "cloud:audit"30 label: "AWS IAM persistent access"31 service: aws32 cti: false33 remediation: false34