AN0458: Analytic 0458
Chain: (1) cloud API calls that fetch tenant/organization password policy (e.g., AWS `GetAccountPasswordPolicy`, GCP/OCI equivalents or IAM settings reads); (2) within a short window, the same principal creates users, rotates creds, or changes auth settings. Use cloud audit logs.
Analyst context for executives and security teams
This analytic matters because it looks for a cloud identity pattern that can precede or accompany unauthorized account setup: a principal reads the tenant or organization password policy and soon after creates users, rotates credentials, or changes authentication settings. For leaders, the value is not that the password policy read is suspicious by itself; it is that policy discovery followed by identity changes can signal risk to cloud account governance and incident response readiness.
Executive priority
Prioritize this as a cloud IAM governance and audit-evidence question: can the organization prove who read password policy settings, who changed users or credentials shortly afterward, and whether those actions were expected administrative work? This is especially relevant for IaaS environments where cloud audit logs are often the deciding evidence for incident scoping, compliance reviews, and rapid containment decisions.
Technical view
Validate whether cloud audit logs capture both sides of the chain: password policy or IAM settings reads, such as AWS GetAccountPasswordPolicy or equivalent GCP/OCI IAM settings reads, and subsequent user creation, credential rotation, or authentication setting changes by the same principal within a short time window. Because no ATT&CK tactics, relationships, or formal detection logic are supplied, teams should treat this as a correlation analytic that needs local baselining of normal IAM administration activity.
Likely telemetry
- Cloud audit logs for IaaS control-plane activity
- IAM or identity administration events
- Password policy or organization authentication settings read events
- User creation events
- Credential rotation or credential update events
Detection direction
- Correlate password policy or IAM settings reads with user, credential, or authentication changes by the same principal within a short window.
- Tune for expected administrative workflows, automation, onboarding processes, and compliance tooling that legitimately reads password policy before making identity changes.
- Confirm logs preserve the principal identity consistently across read and change events, including service accounts or automation identities.
- Review alert context for whether the principal, timing, source, and affected users match approved change activity.
- Treat isolated password policy reads as lower-confidence unless paired with the described follow-on identity changes.
Mitigation priorities
- Ensure cloud audit logging is enabled and retained for IAM and authentication-related control-plane activity.
- Define approved administrative paths for user creation, credential rotation, and authentication setting changes.
- Limit IAM administration permissions to authorized principals and review permissions that allow both policy discovery and identity modification.
- Require change tracking or ticket context for routine identity administration so SOC and IR teams can distinguish expected work from anomalous chains.
- Periodically test that detections can join policy-read events to subsequent identity changes across the relevant IaaS environments.
Analyst notes and limits
The supplied object is a detection analytic for IaaS environments, not a full ATT&CK technique entry. Its practical value is in validating cloud audit-log correlation around identity administration behavior. The object names AWS GetAccountPasswordPolicy and references GCP/OCI equivalents or IAM settings reads, but it does not provide vendor-specific event lists or detection thresholds.
No official detection text, tactics, labels, aliases, or relationship context were supplied. The short-window threshold, normal administrative baselines, false-positive profile, and exact event names must be determined from the local cloud environment and logging configuration.
Analytic 0458
Chain: (1) cloud API calls that fetch tenant/organization password policy (e.g., AWS `GetAccountPasswordPolicy`, GCP/OCI equivalents or IAM settings reads); (2) within a short window, the same principal creates users, rotates creds, or changes auth settings. Use cloud audit logs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dc3fbe2e52b1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0458Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.