Skip to main content

IAM Policy Changed

This alert occurs when Lacework detects an AWS IAM policy change.

Why this Alert is Important

IAM policies are one of the ways to authenticate and grant permissions to the users in the AWS environment. Unauthorized IAM policy changes can grant unauthorized users elevated access privileges. Attackers commonly use this to escalate privileges and laterally move across the environment.

Investigation

Check who made the last IAM policy change and what was changed. Look for unexpected IAM policy changes and monitor for any anomalies.

Resolution

Ensure that IAM policy changes are made only by administrators and are logged.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html