MEDIUM CloudWatch · CIS 4.4

IAM policy changes alarm

Check ID: aws-cw-004

AWS-CW-004 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect IAM policy changes (CreatePolicy, DeletePolicy, AttachRolePolicy, etc.). Without this monitoring, privilege escalation goes undetected.

Why it matters

IAM policy changes are the primary mechanism for privilege escalation in AWS. An attacker who gains initial access with limited permissions will immediately attempt to create new policies, attach admin policies to their compromised role, or modify existing policies to grant broader access. The 2020 Paige Thompson (Capital One) attack chain included creating new IAM policies to expand access beyond the initially compromised role. Detecting policy changes in real-time allows security teams to intervene before the attacker escalates from read-only reconnaissance to destructive actions. This alarm should trigger an immediate investigation because legitimate IAM changes are infrequent and typically happen during planned change windows.

Common causes

Organizations rely on CloudTrail log review during periodic audits rather than real-time detection. IAM policy changes are infrequent enough that teams do not prioritize automated alerting, assuming manual review is sufficient. Some teams configure broad SIEM alerts for all CloudTrail events but lack the specific filter for IAM policy mutations, causing real escalation events to be lost in alert noise.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.4 \
  --filter-pattern '{ ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) || ... }' \
  --metric-transformations metricName=CIS-4-4,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.4 \
  --metric-name CIS-4-4 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_4" {
  name           = "CIS-4.4"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventName=CreatePolicy) || ($.eventName=DeletePolicy) || ($.eventName=AttachRolePolicy) || ($.eventName=DetachRolePolicy) }"

  metric_transformation {
    name      = "CIS-4-4"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_4" {
  alarm_name          = "CIS-4.4"
  metric_name         = "CIS-4-4"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.4 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudWatch checks

HIGH aws-cw-001

Root account usage alarm

MEDIUM aws-cw-002

Unauthorized API calls alarm

MEDIUM aws-cw-003

Console sign-in without MFA alarm

← All checks