AWS IAM User Addition to Group

[metadata]
creation_date = "2020/06/04"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). Any user added to a
group automatically gains the permissions that are assigned to the group. If the target group carries elevated or admin
privileges, this action can instantly grant high-risk permissions useful for credential misuse, lateral movement, or
privilege escalation.
"""
false_positives = [
    """
    Legitimate operations such as new user onboarding, role changes, or service account updates may trigger this event.
    Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User
    additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it
    can be exempted from the rule.
    """,
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS IAM User Addition to Group"
note = """## Triage and analysis

### Investigating AWS IAM User Addition to Group

This rule detects when an IAM user is added to an IAM group via the `AddUserToGroup` API call. If the target group holds elevated privileges, this action may immediately grant that user wide-ranging access useful for credential misuse or lateral movement. This rule helps detect unauthorized privilege escalation via group membership change. Treat as high-risk when the destination group has wide scope (e.g., AdministratorAccess or permissive inline policies).

#### Possible investigation steps

- **Identify the actor and target**  
  - Check `aws.cloudtrail.user_identity.arn` for who added the user.  
  - From `aws.cloudtrail.request_parameters`, capture `userName` (added user) and `groupName` (destination group).  
  - Check `source.ip`, `user_agent.original`, `cloud.region` for unusual patterns.

- **Examine the group’s privileges**  
  - Use `GetGroup`, `ListAttachedGroupPolicies` to see what policies the group holds. Look for `AdministratorAccess`, `iam:*`, `s3:*`, `ec2:*` or cross-account permissions.  
  - Check whether the group was recently created (`CreateGroup`) or recently escalated (`AttachGroupPolicy`). Common attacker pattern: create > attach policy > add user.

- **Correlate with surrounding activity**  
  - Look for preceding events by the actor: `AssumeRole`, `GetSessionToken`, `CreateAccessKey`, `AttachGroupPolicy`.  
  - Follow the added user’s activities after group membership. Look for sensitive operations (e.g., IAM actions, S3 policy changes, EC2 snapshot/AMI activity).


### False positive analysis

- Onboarding or role transitions may legitimately add users to groups.  
- Automated Identity-Management pipelines may add many users to service groups; validate know

### Response and remediation

- **Containment**:
  - If unapproved, remove the user from the group immediately (`RemoveUserFromGroup`) and rotate their access keys.
  - Temporarily restrict group policy changes while assessing blast radius.

- **Investigation and scoping**:
  - Review all actions executed by the newly added user since the change (ex: PutBucketPolicy, CreateAccessKey, PassRole).
  - Confirm whether other users were added to the same group within the same window. 

- **Recovery and hardening**: 
  - Enforce least privilege by redesigning large-group membership. 
  - Restrict `iam:AddUserToGroup` to only appropriate service principals with approval workflow. 
  - Create detections for AttachGroupPolicy to powerful policies and for mass AddUserToGroup patterns.

### Additional information
[AWS Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)
"""
references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"]
risk_score = 21
rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
severity = "low"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Use Case: Identity and Access Audit",
    "Tactic: Credential Access",
    "Tactic: Persistence",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset: aws.cloudtrail and 
    event.provider: iam.amazonaws.com and 
    event.action: AddUserToGroup and 
    event.outcome: success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"

[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.investigation_fields]
field_names = [
    "@timestamp",
    "user.name",
    "user_agent.original",
    "source.ip",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
    "user.target.name",
    "event.action",
    "event.outcome",
    "cloud.account.id",
    "cloud.region",
    "aws.cloudtrail.request_parameters",
]