Detection: IAM User Email Address Updated
Overview
Detect when the email address associated with a root IAM user was updated. Unauthorized email updates can enable attackers to intercept password resets or critical notifications, posing significant security risks. Monitoring these changes ensures alignment with security policies and prevents account misuse.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.iam_root_user_email_address_updated
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.iam_root_user_email_address_updated --share
SQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'userName' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'iam.amazonaws.com' and event_name = 'EmailUpdated' and user_identity.type = 'Root' and error_code is null
order by event_time desc;