Skip to content

AttachRolePolicy

AWS

AttachRolePolicy

service: AWS - IAM
techniques:

Event

Attaches a managed IAM policy to an IAM role, granting the role the permissions defined in that policy.

Security Context

  • Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — already controlling a session that can assume IncidentResponseRole (or having created a backdoor role of his own) — attaches arn:aws:iam::aws:policy/AdministratorAccess to the OccamyPipelineRole. The OCCAMY pipeline role is assumed routinely by EC2 instances and the GitHub Actions OIDC flow (see AssumeRoleWithWebIdentity event). After this event, every subsequent assumption of that role yields admin credentials, providing covert persistence that survives Draco’s user being deleted.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T20:48:33Z",
"eventSource": "iam.amazonaws.com",
"eventName": "AttachRolePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"roleName": "OccamyPipelineRole",
"policyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000001110100",
"eventID": "90000000-0000-4000-8000-000001110101",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence Privilege Escalation

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...