ReplaceIamInstanceProfileAssociation
Event
Replaces the IAM instance profile associated with a running EC2 instance with a different one.
Security Context
- Using valid cloud accounts allows adversaries to blend in with legitimate activity while accessing sensitive resources.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine.
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...