AWS AddRoleToInstanceProfile
Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
T1078.004: Cloud Accounts
T1078.004: Cloud Accounts
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...
View on MITRE ATT&CK →AWS AssumeRole
Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role's permissions.
AWS AssumeRoleWithSAML
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
AWS AssumeRoleWithWebIdentity
Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.
AWS ConsoleLogin
Records a sign-in attempt to the AWS Management Console, capturing success or failure status and whether MFA was used.
GCP generateAccessToken
Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation. This is the admin activity audit log format; see also iam.serviceAccounts.getAccessToken for the data access format.
AWS GetFederationToken
Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.
AWS GetSessionToken
Returns temporary credentials for an IAM user, typically used to satisfy an MFA requirement for subsequent API calls.
GCP iam.serviceAccountKeys.implicitDelegation
Records a token exchange where a service account implicitly delegates its authority to another identity.
GCP iam.serviceAccounts.actAs
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
GCP iam.serviceAccounts.getAccessToken
Generates an OAuth2 access token for a service account via the IAM Credentials API, enabling service account impersonation. This is the data access audit log format; see also generateAccessToken for the admin activity format.
GCP iam.serviceAccounts.signJwt
Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.
Azure Microsoft.Authorization/elevateAccess/action
Global Admin elevates to User Access Administrator at root scope, granting control over all Azure subscriptions.
AWS PassRole
Allows a principal to pass an IAM role to an AWS service, granting the service permission to assume that role on their behalf.
AWS PasswordRecoveryRequested
Records a request to recover or reset the AWS account root user password via the password reset process.
AWS ReplaceIamInstanceProfileAssociation
Replaces the IAM instance profile associated with a running EC2 instance with a different one.