Knowledge BasePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Sources & Transports
Writing Detections
Rules
Policies
Testing
Alert Summaries
Detection Packs
Caching
Data Models
Global Helper Functions
Report Mapping
Panther Developer Workflows: Detections
Triaging Alerts
Alert Runbooks
Built-in Policies
Built-in Rules
AWS CloudTrail Modified
AWS Config Service Modified
AWS Console Login Failed
AWS Console Login Without MFA
AWS EC2 Gateway Modified
AWS EC2 Network ACL Modified
AWS EC2 Route Table Modified
AWS EC2 SecurityGroup Modified
AWS EC2 VPC Modified
AWS IAM Policy Modified
AWS KMS CMK Loss
AWS Root Activity
AWS S3 Bucket Policy Modified
AWS Unauthorized API Call
Cloud Security Scanning
Destinations
Data Analytics
Enrichment (Beta)
System Configuration
Panther API (Beta)
Guides
Help
Powered By GitBook
AWS IAM Policy Modified
This rule monitors for changes to IAM policies.
Risk
Remediation Effort
Medium
Low
IAM policies control what AWS entities have access to other AWS entities. These changes should be very closely monitored, as poor IAM configuration (accidental or malicious) is a major cause of AWS breaches.
Remediation
Verify that the IAM changes observed were planned and are reasonably executed. For example, make sure new IAM policies grant access to specific resources and not all resources. If these IAM policy changes were not planned, immediately revoke them and investigate the source of the changes.
References
  • CIS AWS Benchmark 3.4: "Ensure a log metric filter and alarm exist for IAM policy changes"
Previous
AWS EC2 VPC Modified
Next
AWS KMS CMK Loss
Last modified 1yr ago
Copy link