SetDefaultPolicyVersion
Event
Sets the default version of an IAM managed policy, changing which version of the policy is active for all attached entities.
Security Context
- Switching the default policy version activates a pre-staged set of permissions, allowing an attacker to escalate privileges by reverting to or activating a version with broader access.
- This is a known IAM privilege escalation technique — an adversary creates a permissive policy version and then sets it as default to immediately gain elevated access across all attached principals.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Privilege Escalation
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.