CreatePolicyVersion
Event
Creates a new version of an IAM managed policy, which can optionally be set as the default active version.
Security Context
- Creating a new policy version with the set-as-default flag immediately applies the updated permissions to all principals attached to the policy, enabling silent privilege escalation.
- This is a well-known IAM privilege escalation path where an attacker with iam:CreatePolicyVersion can grant themselves administrative access without creating new roles or users.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.