activity_dashboard_logs_by_accountactivity_dashboard_logs_by_actoractivity_dashboard_logs_by_eventactivity_dashboard_logs_by_regionactivity_dashboard_logs_by_serviceactivity_dashboard_logs_by_source_ipactivity_dashboard_total_logscloudfront_distribution_default_certificate_disabledcloudfront_distribution_logging_disabledcloudtrail_trail_global_service_logging_disabledcloudtrail_trail_kms_key_updatedcloudtrail_trail_logging_stoppedcloudtrail_trail_s3_logging_bucket_updatedcloudwatch_log_group_created_with_encryption_disabledcodebuild_project_environment_variable_updatedcodebuild_project_service_role_updatedcodebuild_project_source_repository_updatedcodebuild_project_visibility_set_publicconfig_configuration_recorder_stoppedconfig_rule_deletedebs_encryption_by_default_disabledebs_snapshot_created_with_encryption_disabledebs_snapshot_shared_publiclyebs_snapshot_unlockedebs_volume_detachedec2_ami_shared_publiclyec2_instance_launched_with_public_ipec2_key_pair_deletedec2_reserved_instance_purchasedefs_file_system_backup_policy_disabledeventbridge_rule_deletedeventbridge_rule_disabledguardduty_detector_deletediam_access_key_creatediam_access_key_deletediam_group_administrator_policy_attachediam_group_inline_policy_updatediam_identity_created_without_cloudformationiam_role_administrator_policy_attachediam_role_inline_policy_updatediam_role_managed_policy_attachediam_root_user_console_loginiam_root_user_email_address_updatediam_user_administrator_policy_attachediam_user_creatediam_user_inline_policy_updatediam_user_login_profile_creatediam_user_login_profile_updatediam_user_managed_policy_attachediam_user_mfa_device_deactivatediam_user_password_changedkms_key_deletion_scheduledlambda_function_created_with_function_code_encryption_at_rest_disabledlambda_function_granted_public_accessrds_db_cluster_deletion_protection_disabledrds_db_instance_assigned_public_ip_addressrds_db_instance_deletion_protection_disabledrds_db_instance_iam_authentication_disabledrds_db_instance_master_password_updatedrds_db_instance_restored_from_public_snapshotroot_user_activity_report_aws_accounts_inputroot_user_activity_report_tableroot_user_activity_report_total_logsroute_53_domain_transfer_lock_disabledroute_53_domain_transferredroute_53_hosted_zone_associated_with_vpcs3_bucket_block_public_access_disableds3_bucket_deleteds3_bucket_policy_granted_public_accesss3_bucket_policy_updateds3_large_file_downloadedses_identity_feedback_forwarding_disabledsns_topic_granted_public_accesssqs_queue_created_with_encryption_at_rest_disabledsqs_queue_dlq_disabledsqs_queue_granted_public_accessssm_document_shared_publiclyvpc_classic_link_enabledvpc_createdvpc_deletedvpc_flow_log_deletedvpc_internet_gateway_added_to_public_route_tablevpc_internet_gateway_detachedvpc_network_acl_entry_updatedvpc_network_acl_entry_updated_with_allow_public_accessvpc_peering_connection_deletedvpc_route_table_association_replacedvpc_route_table_deletedvpc_route_table_route_deletedvpc_route_table_route_disassociatedvpc_security_group_deletedvpc_security_group_ingress_egress_rule_authorized_to_allow_allvpc_security_group_ingress_egress_rule_updatedwaf_web_acl_disassociated_from_cloudfront_distributionwaf_web_acl_disassociated_from_elb_application_load_balancerwaf_web_acl_logging_disabled
Query: iam_group_administrator_policy_attached
Usage
powerpipe query aws_cloudtrail_log_detections.query.iam_group_administrator_policy_attachedTailpipe Tables
SQL
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'groupName' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'iam.amazonaws.com' and event_name = 'AttachGroupPolicy' and (request_parameters ->> 'policyArn') like 'arn:%:iam::aws:policy/AdministratorAccess' and error_code is null
order by event_time desc;
Detections
The query is being used by the following detections: