AttachRolePolicy
AWS
AttachRolePolicy
Event
Attaches a managed IAM policy to an IAM role, granting the role the permissions defined in that policy.
Security Context
- Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — already controlling a session that can assume IncidentResponseRole (or having created a backdoor role of his own) — attaches arn:aws:iam::aws:policy/AdministratorAccess to the OccamyPipelineRole. The OCCAMY pipeline role is assumed routinely by EC2 instances and the GitHub Actions OIDC flow (see AssumeRoleWithWebIdentity event). After this event, every subsequent assumption of that role yields admin credentials, providing covert persistence that survives Draco’s user being deleted.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:48:33Z", "eventSource": "iam.amazonaws.com", "eventName": "AttachRolePolicy", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "roleName": "OccamyPipelineRole", "policyArn": "arn:aws:iam::aws:policy/AdministratorAccess" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000001110100", "eventID": "90000000-0000-4000-8000-000001110101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...