Skip to content

UpdateAssumeRolePolicy

AWS

UpdateAssumeRolePolicy

service: AWS - IAM
techniques:

Event

Updates the trust policy of an IAM role, changing which principals are permitted to assume it.

Security Context

  • Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
  • Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.

Log Source

CloudTrail

Sample Event

Adversarial. Draco modifies the trust policy of GraphornAdminRole to add arn:aws:iam::555666661337:root as a principal — meaning every IAM principal in his external account 555666661337 can now AssumeRole into the victim’s admin role. This is one of the cleanest “cross-account persistence” patterns: even if Draco’s own IAM user draco is disabled, he keeps admin via cross-account trust. T1098 + T1548.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:23:11Z",
"eventSource": "iam.amazonaws.com",
"eventName": "UpdateAssumeRolePolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"roleName": "GraphornAdminRole",
"policyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A555666661337%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000111000010",
"eventID": "90000000-0000-4000-8000-000111000011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Persistence Privilege Escalation

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...