IAM Policy Changed
This alert occurs when Lacework detects an AWS IAM policy change.
Why this Alert is Important
IAM policies are one of the ways to authenticate and grant permissions to the users in the AWS environment. Unauthorized IAM policy changes can grant unauthorized users elevated access privileges. Attackers commonly use this to escalate privileges and laterally move across the environment.
Investigation
Check who made the last IAM policy change and what was changed. Look for unexpected IAM policy changes and monitor for any anomalies.
Resolution
Ensure that IAM policy changes are made only by administrators and are logged.
Related Information
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html