* [New Rule] AWS Sensitive IAM Operations Performed via CloudShell
This rule detects sensitive AWS IAM operations performed via CloudShell based on the user agent string. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the console without requiring local tooling. When attackers gain access to a compromised console session, CloudShell enables them to perform privileged operations such as creating users, access keys, roles, or attaching policies—leaving no artifacts on their local system. This behavior is documented in the Permiso blog on LUCR-3 (Scattered Spider) and the CISA Scattered Spider advisory, where threat actors leveraged CloudShell for post-compromise credential harvesting and privilege escalation.
No existing rules specifically detect CloudShell as the origin for sensitive IAM operations. This fills a gap by identifying high-risk actions from this browser-based execution context.
* adding iam provider
* primary tactic change
* updating highlighted fields
* removed bold from IG
* Apply suggestions from code review
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Isai
f10de64527