AN0771: Analytic 0771
Detection of new IAM roles or policies attached to a user/service in AWS/GCP/Azure outside normal patterns or hours, often following account compromise.
Analyst context for executives and security teams
This analytic is about spotting unexpected cloud IAM role or policy changes in AWS, GCP, or Azure, especially changes attached to a user or service outside normal patterns or business hours. For leaders, the value is not just detecting a configuration change; it is validating whether the organization can quickly identify identity privilege expansion that may follow account compromise and could affect cloud control, data access, and incident containment.
Executive priority
Prioritize this as a cloud identity governance and incident-readiness control. Unexpected IAM role or policy attachment can change who or what has access to critical cloud resources, so security leaders should ask whether cloud identity changes are monitored centrally, reviewed after-hours, and tied to accountable owners. This also supports audit evidence for privileged access management and helps incident responders determine whether a suspected compromised account gained broader cloud permissions.
Technical view
SOC and detection teams should validate monitoring for new IAM roles or policies attached to users or services across IaaS environments: AWS, GCP, and Azure. Because ATT&CK provides no detailed detection logic for AN0771, teams should define local baselines for normal IAM administration patterns, approved automation, expected service principals, and maintenance windows. Alerting should focus on unusual timing, unusual actor, unusual target identity, and privilege-relevant policy attachment, with enrichment from identity context and change-management records.
Likely telemetry
- Cloud control-plane audit logs for IAM role and policy attachment events
- Cloud identity and access management change logs
- User, service account, and service principal activity records
- Administrative session and authentication logs
- Change-management or ticketing evidence for approved IAM changes
Detection direction
- Confirm that IAM policy and role attachment events are collected from AWS, GCP, and Azure environments in scope.
- Build baselines for normal IAM changes by actor, target identity, service, project/account/subscription, and time window.
- Tune for approved automation and scheduled administrative work to reduce false positives.
- Prioritize alerts where changes occur outside normal hours, involve sensitive users or services, or lack an associated approved change record.
- Ensure investigation playbooks check whether the actor account shows signs of compromise before or around the IAM change.
Mitigation priorities
- Centralize and retain cloud IAM change telemetry before relying on detection outcomes.
- Enforce least privilege and limit who can attach roles or policies to users and services.
- Use change-control expectations for privileged IAM modifications, especially outside normal hours.
- Review service accounts and automation identities so expected policy changes are distinguishable from suspicious ones.
- Prepare incident response steps to revoke unexpected privileges and assess downstream access if compromise is suspected.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0771, for IaaS platforms. It describes detection of new IAM roles or policies attached to a user or service in AWS, GCP, or Azure outside normal patterns or hours, often following account compromise. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensive validation and cloud identity monitoring rather than a specific ATT&CK technique mapping.
This assessment is limited to the supplied STIX fields and external reference. ATT&CK did not provide detection pseudocode, data component mappings, relationships, or tactic context for this object. Local cloud architecture, logging configuration, identity model, approved automation, and business-hours definitions are required to turn this into reliable production detection.
Analytic 0771
Detection of new IAM roles or policies attached to a user/service in AWS/GCP/Azure outside normal patterns or hours, often following account compromise.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2eba8caffa43… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0771Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.