How to detect suspicious AWS Identity and Access Management activity

Understanding the threat

Suspicious AWS Identity and Access Management (IAM) activity often involves unauthorized changes to identity structures or trust relationships. This includes creating or deleting IAM groups, configuring AWS IAM Roles Anywhere trust anchors, or creating IAM Roles Anywhere profiles that allow workloads outside of AWS to assume IAM roles.

These actions are high-risk because they affect how identities are defined and how access is granted. New group creation can be used to aggregate permissions and quietly add users later. Deleting groups can disrupt access controls or remove visibility into who had which permissions. IAM Roles Anywhere configurations can extend trust to external certificate authorities, allowing non-AWS workloads to authenticate into AWS if misused.

Log360 ingests AWS CloudTrail logs and monitors IAM management events related to group life cycle and IAM Roles Anywhere configuration. With built-in detection rules, it alerts security teams when these sensitive IAM changes occur, helping the teams identify misconfigurations or potential abuse early.

Category

Cloud

MITRE ATT&CK® mapping

T1098 | Account manipulation

Scenario

CloudTrail is enabled in an account to capture IAM management events across all regions. During a period with no scheduled IAM changes, CloudTrail records the following events:

• An IAM group is created (CreateGroup).
• Later, an existing IAM group is deleted (DeleteGroup).
• A trust anchor is created for IAM Roles Anywhere using an external certificate authority (CreateTrustAnchor).
• An IAM Roles Anywhere profile is created and associated with the trust anchor (CreateProfile).

These events are detected by Log360 because they involve IAM configuration changes that are not part of routine operations. The security team reviews the alerts to confirm whether the actions were authorized and aligned with the organization’s IAM governance process.

Why this happens

• IAM group creation and deletion occur when administrators modify how users are organized for permission management. These actions may happen during onboarding, restructuring, or cleanup activities.
• IAM Roles Anywhere configuration events occur when organizations enable or update certificate-based authentication for workloads running outside AWS. Creating trust anchors and profiles is required to establish these authentication flows.
• Because these actions change access structures or trust relationships, they are security-relevant and should be reviewed when they occur unexpectedly or outside approved change processes.

What can go wrong

• Unreviewed IAM group changes can result in access models that do not align with organizational policies. This may lead to incorrect permission assignment or a loss of clarity around how access is managed.
• Unreviewed IAM Roles Anywhere configurations can introduce external trust relationships that expand where authentication requests originate. Without proper oversight, this can increase operational and security risks.
• Failing to monitor these events can delay the identification of misconfigurations or unauthorized changes.

Prerequisites

• CloudTrail must be enabled to log IAM management events, including the following:
  • CreateGroup
  • DeleteGroup
  • CreateTrustAnchor
  • CreateProfile
• CloudTrail logs must be forwarded to Log360 for centralized analysis. The logs should include event metadata such as the calling identity, timestamp, region, and request parameters.
• Organizations should maintain documentation of approved IAM group structures and IAM Roles Anywhere usage to support accurate reviews of alerts.

Detecting suspicious AWS IAM activity using Log360

• Verify that CloudTrail is enabled across all regions and configured to log IAM management events.
• Ensure CloudTrail logs are forwarded to Log360 and that AWS is configured as a log source.
• In Log360, navigate to Security > Manage Rules > Rule Library and enable the following detection rules:
  • AWS IAM Roles Anywhere Trust Anchor Created with External CA
  • AWS IAM Roles Anywhere Profile Created
  • IAM Group Created
  • IAM Group Deleted
• When alerts are generated, review the associated CloudTrail event details to identify:
  • The IAM principal that performed the action.
  • The resource affected.
  • The time and region of the event.
• Validate whether the activity aligns with approved change requests or operational procedures.
• If the activity is unplanned, take corrective action according to internal IAM governance and security policies.

Next steps

• Maintain an up-to-date inventory of IAM groups and their intended purposes.
• Limit permissions to create or delete IAM groups to authorized administrators.
• Document approved use cases for IAM Roles Anywhere and track associated trust anchors and profiles.
• Configure alert notifications in Log360 so IAM configuration changes are reviewed promptly.
• Periodically audit IAM group and IAM Roles Anywhere configurations to ensure they remain aligned with organizational requirements.
• Correlate IAM alerts with other CloudTrail activity to gain additional context during reviews.