Account Manipulation: Additional Cloud Roles (AWS)


An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, they may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.csCloudRead-onlyHTTPSList of IAM Policy

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Collection

Sub-Technique: Additional Cloud Roles

Platform: AWS

Products Required: Tenable.cs

Tenable Release Date: 2022 Q4