CreateServiceLinkedRole
Event
Creates a service-linked IAM role that allows an AWS service to perform actions on your behalf.
Security Context
- Service-linked roles are managed by AWS services and have predefined permissions that may exceed what an attacker could create through standard IAM role creation, enabling indirect privilege escalation.
- Adversaries with iam:CreateServiceLinkedRole can instantiate roles for services that carry broad permissions, potentially bypassing permission boundaries and SCPs.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.