DET0277: Detection Strategy for Role Addition to Cloud Accounts
DET0277 is a MITRE detection strategy for identifying role additions to cloud accounts. The business issue is not the role change itself; it is that a new...
Analyst context for executives and security teams
DET0277 is a MITRE detection strategy for identifying role additions to cloud accounts. The business issue is not the role change itself; it is that a new or expanded cloud role can preserve access after an initial compromise and can elevate control over IaaS, identity provider, Office Suite, or SaaS environments, as reflected by the related ATT&CK technique T1098.003 Additional Cloud Roles.
Executive priority
Security leaders should treat this as an identity and cloud control validation item. Ask whether privileged role additions are logged, reviewed, and explainable through approved change processes. This matters for resilience because unauthorized administrator or IAM permission changes can undermine incident containment, cloud governance, audit evidence, and recovery decisions.
Technical view
The ATT&CK object has no official description or detection logic, but it detects T1098.003, which is associated with persistence and privilege escalation. SOC and IR teams should validate monitoring for creation or assignment of cloud roles, IAM policy updates, administrator role grants, and permission changes across relevant cloud, identity provider, Office Suite, and SaaS control planes. Detection should distinguish approved administration from unexpected grants to newly created, dormant, external, or unusual accounts.
Likely telemetry
- Cloud control-plane audit logs for IAM role, policy, and permission changes
- Identity provider directory audit logs for privileged role assignment
- Office Suite and SaaS administrator audit events
- Privileged account activity and session logs
- Change-management or ticketing records for approved role additions
Detection direction
- Confirm that audit logging captures both the actor making the change and the target account receiving the role or permission.
- Alert on privileged role additions, broad policy grants, or administrator assignments outside approved change windows or workflows.
- Correlate role additions with account creation, unusual login activity, or recent privilege escalation indicators where local telemetry supports it.
- Tune expected noise from normal IAM administration, onboarding, service account management, and break-glass procedures.
- Look for blind spots in SaaS and identity-provider audit retention, cloud regions/accounts not onboarded to logging, and logs that omit policy-diff detail.
Mitigation priorities
- Enforce least privilege and restrict who can grant privileged cloud or administrator roles.
- Require strong approval and review workflows for privileged role additions.
- Use privileged access management or time-bound elevation where available.
- Regularly review privileged role membership and IAM policy changes against business owners and change records.
- Preserve audit logs centrally with sufficient retention for incident response and compliance evidence.
Analyst notes and limits
This take is based on the supplied detection-strategy object and its relationship to T1098.003 Additional Cloud Roles. The supplied DET0277 record does not include an official MITRE description, detection text, tactics, or platforms, so practical guidance is derived from the related technique context and kept at a control-validation level.
Local platform coverage, log field names, retention, alert thresholds, and approved administrative workflows must be validated in the environment. This summary does not claim active exploitation, attribution, or existing detection coverage.
Detection Strategy for Role Addition to Cloud Accounts
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1098.003 | Additional Cloud Roles Sub-technique | This object detects Additional Cloud Roles. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e7d031d10252… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0277Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.