AWS

Subscribe
Download 365
Last updated Apr 30, 2025

AWS IAM User Created

Detects when a user creates a new AWS IAM account.

Query

Detects if the event name in AWS CloudTrail audit logs is CreateUser.

| search event_name == "CreateUser" 
| eval target_user = valueof(req_params, "userName")
| rename account_id as cloud_account, aws_region as cloud_region

Message

  • AWS IAM account creation: Cloud $cloud_account, Region $cloud_region, Account $user, New Account $target_user

Output field order

  • _log_time, cloud_account, cloud_region, src_ip, user, user_type, event_source, event_name, target_user, user_agent

Threat Analysis

  • AWS IAM user creation events may represent normal operational activity, but they can also indicate an attacker establishing persistent access after compromising an account by creating new users.
  • Attackers may use newly created accounts to maintain access even if the original account is disabled or its permissions are changed.
  • If the newly created account is granted administrative privileges or broad IAM policies, this can lead to privilege escalation and long-term internal persistence.

False Positive Types

  • Legitimate user creation by the security or operations team as part of approved procedures for new infrastructure deployment or service operations.
  • Authorized account creation during AWS account consolidation or new team member onboarding.
  • Automated creation of predefined accounts through scripts or Infrastructure as Code (IaC) tools such as Terraform or CloudFormation.

Response Actions

  • When a CreateUser event occurs, immediately review the permission level and policies assigned to the new account.
  • Verify the creation against operational procedures to confirm if it was pre-approved.
  • If the account is deemed abnormal or unauthorized, promptly disable or delete it, and revoke any associated access keys and session tokens.
  • Analyze the source IP, user agent, and calling account of the user creation event to identify potential compromise indicators.
  • To prevent recurrence, minimize permissions for creating IAM users and prioritize using IAM Roles for access where possible.

MITRE ATT&CK