Skip to content

CreateServiceLinkedRole

AWS

CreateServiceLinkedRole

service: AWS - IAM
techniques:

Event

Creates a service-linked IAM role that allows an AWS service to perform actions on your behalf.

Security Context

  • Service-linked roles are managed by AWS services and have predefined permissions that may exceed what an attacker could create through standard IAM role creation, enabling indirect privilege escalation.
  • Adversaries with iam:CreateServiceLinkedRole can instantiate roles for services that carry broad permissions, potentially bypassing permission boundaries and SCPs.

Log Source

CloudTrail

Sample Event

Legitimate. Hermione enables Amazon GuardDuty in the production account for the first time. The first call to guardduty:CreateDetector triggers automatic creation of the GuardDuty service-linked role AWSServiceRoleForAmazonGuardDuty. CloudTrail records this as a CreateServiceLinkedRole event called by the GuardDuty service (note userIdentity shape — the call is made by Hermione’s session but on behalf of GuardDuty’s onboarding flow).

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAHERM10NE000ADM1N",
"arn": "arn:aws:iam::555123456789:user/hermione",
"accountId": "555123456789",
"accessKeyId": "AKIAHERM10NEEXAMPLE1",
"userName": "hermione",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T13:42:11Z",
"mfaAuthenticated": "true"
}
}
},
"eventTime": "2026-04-15T14:22:46Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateServiceLinkedRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.42",
"userAgent": "aws-cli/2.15.30 Python/3.11.6 Linux/5.15.0-1052-aws exe/x86_64.ubuntu.22 prompt/off command/guardduty.create-detector",
"requestParameters": {
"aWSServiceName": "guardduty.amazonaws.com",
"description": "Service-linked role for GuardDuty"
},
"responseElements": {
"role": {
"path": "/aws-service-role/guardduty.amazonaws.com/",
"roleName": "AWSServiceRoleForAmazonGuardDuty",
"roleId": "AROAGUARDDUTYSLR00001",
"arn": "arn:aws:iam::555123456789:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
"createDate": "Apr 15, 2026, 2:22:46 PM",
"assumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22guardduty.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D"
}
},
"requestID": "90000000-0000-4000-8000-000010011110",
"eventID": "90000000-0000-4000-8000-000010011111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...