AN0291: Analytic 0291
Detects unauthorized changes to IAM authentication configurations such as disabling MFA, creating backdoor access keys, or altering trust policies. Correlates identity policy updates with unusual login behavior.
Analyst context for executives and security teams
AN0291 focuses on detecting unauthorized changes to IAM authentication settings in IaaS environments, such as disabling MFA, creating backdoor access keys, or changing trust policies. For security leaders, the practical issue is that identity configuration changes can quickly become business-impacting control failures: attackers or unauthorized insiders may preserve access, bypass expected authentication controls, or weaken cloud governance before other alerts become obvious.
Executive priority
Prioritize this analytic as an identity and cloud control assurance question: can the organization prove when high-risk IAM authentication configurations change, who made the change, and whether the change coincides with unusual login behavior? This supports incident decision-making, audit evidence for access control governance, and resilience planning for cloud-hosted operations. Because no tactic or relationship context is supplied, treat this as a defensive validation area rather than a complete threat scenario.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for IAM policy updates, MFA configuration changes, access key creation, trust policy changes, and related authentication activity in IaaS environments. The official description specifically calls for correlating identity policy updates with unusual login behavior, so teams should test whether configuration-change events and login telemetry can be joined by principal, account, role, time window, source location, and authentication outcome. Since ATT&CK provides no official detection logic here, local baselining and change-management context are required to distinguish malicious or unauthorized changes from approved administration.
Likely telemetry
- IaaS IAM configuration change logs
- MFA enablement or disablement events
- Access key creation and modification events
- Trust policy or role policy update events
- Identity policy update events
Detection direction
- Validate alerts for high-risk IAM authentication changes, especially MFA disablement, new access keys, and trust policy changes.
- Correlate IAM configuration changes with unusual login behavior rather than treating each event in isolation.
- Tune detections against known administrative workflows to reduce false positives from legitimate cloud operations.
- Check whether logs identify the acting principal, target identity or role, source context, timestamp, and authentication result.
- Review blind spots where IAM logs are not centralized, retention is short, or cloud accounts/projects are outside SOC visibility.
Mitigation priorities
- Ensure high-risk IAM authentication changes require strong administrative governance and review.
- Maintain reliable logging and retention for IAM configuration and authentication events across IaaS environments.
- Use change-management evidence to separate approved IAM changes from unplanned or suspicious changes.
- Regularly review MFA status, access keys, and trust policies for drift from expected configuration.
- Prepare IR playbooks for suspected IAM backdoor creation, including key review, policy rollback, and account access validation.
Analyst notes and limits
This object is a detection analytic for IaaS IAM authentication configuration changes. Its value is strongest when used to validate identity security monitoring and cloud change-control assurance. The supplied ATT&CK fields do not include tactics, related techniques, adversary relationships, or official detection logic, so implementation should be driven by the organization’s cloud architecture, IAM model, and administrative process.
Analysis is limited to the supplied STIX fields, external reference, and the single official description. No relationship context, tactic mapping, specific cloud provider, query logic, or confirmed detection coverage is provided. Local telemetry availability and environment-specific baselines are required before operational use.
Analytic 0291
Detects unauthorized changes to IAM authentication configurations such as disabling MFA, creating backdoor access keys, or altering trust policies. Correlates identity policy updates with unusual login behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 438035cb8e7d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0291Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.