CreateRole
Event
Creates a new IAM role with a trust policy that defines which principals are permitted to assume it.
Security Context
- Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.