Detection: IAM Role Managed Policy Attached
Overview
Detect when managed policy was attached to IAM roles. Managed policies are standalone policies that can be attached to multiple identities, such as users, groups, and roles. Over-permissive or unmanaged policies can grant excessive access to sensitive resources, increasing the risk of privilege escalation, unauthorized access, or accidental modifications.
Regularly monitoring these attachments ensures adherence to the principle of least privilege, reduces the attack surface, and supports compliance with security best practices.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.iam_role_managed_policy_attachedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.iam_role_managed_policy_attached --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'roleName' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'iam.amazonaws.com' and event_name = 'AttachRolePolicy' and error_code is null
order by event_time desc;