1. Home
  2. Techniques
  3. Create Account
  4. Create Cloud Account

Create Account: Create Cloud Account

Other sub-techniques of Create Account (1)
ID Name
T1136.003 Create Cloud Account

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.

In addition to user accounts, cloud accounts may be associated with services. Cloud providers handle the concept of service accounts in different ways. In Azure, service accounts include service principals and managed identities, which can be linked to various resources such as OAuth applications, serverless functions, and virtual machines in order to grant those resources permissions to perform various activities in the environment. In GCP, service accounts can also be linked to specific resources, as well as be impersonated by other accounts for Temporary Elevated Cloud Access [MITRE] . While AWS has no specific concept of service accounts, resources can be directly granted permission to assume roles.

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.

Once an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding Additional Cloud Credentials [MITRE] or assigning Additional Cloud Roles [MITRE] .

AWS Specific Content


A prerequisite for this technique is that a threat actor has already gained control of an AWS identity with the permissions to perform the actions in the AWS CloudTrail Event Name(s) section.

In AWS, an AWS account is a container where you can create and manage your AWS resources. An account is also a unique identity, typically associated with a user, that grants access to a specific system or resource, for example, an IAM user or an AWS IAM Identity Center user. With access to an AWS identity that has the appropriate permissions, threat actors may create additional IAM users within an AWS account. The threat actor will then use the new IAM user to perform unauthorized activity to limit defenders from being alerted to evidence of the original user being compromised.

Detection

Collect usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.

AWS Specific Content


When this technique is used by the threat actor, actions taken by the threat actor using the credentials obtained will be logged in CloudTrail. You can use the Event history page in the AWS CloudTrail console to view the last 90 days of management events in an AWS Region for the events listed in the AWS CloudTrail Event Name(s) section, such as iam:CreateUser.

A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.

It is also possible to create a CloudWatch metric filter to watch for when specific AWS API calls are used and perform notification actions if logged, and additionally configure CloudWatch to automatically perform an action in response to an alarm.


Mitigation

AWS Specific Content


Review and remove unauthorized IAM or AWS IAM Identity Center users in your AWS account that may have been created by a threat actor.

You can make sure that principals are scoped with the least-privileged permissions necessary to perform duties, limiting the ability to perform unauthorized actions in an AWS account when not required. One possible method of applying the principle of least-privileged permissions is to use Service Control Policies to restrict the maximum available permissions for the IAM users and IAM roles within your AWS Organizations accounts (note - you should test SCPs in a development environment before deploying them in production).

You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.


References

  1. mitre-attack
  2. Microsoft O365 Admin Roles
  3. AWS Create IAM User
  4. AWS Lambda Execution Role
  5. AWS Instance Profiles
  6. GCP Create Cloud Identity Users
  7. GCP Service Accounts
  8. Microsoft Azure AD Users
  9. Microsoft Entra ID Service Principals
  10. Microsoft Support O365 Add Another Admin, October 2019

AWS Specific Information


AWS Services:
  • AWS Identity and Access Management (IAM)
  • AWS IAM Identity Center
AWS CloudTrail Event Names:
  • iam:CreateUser
  • sso-directory:CreateUser

Technique Information

ID: T1136.003
Aliases: T1136.003
Sub-technique of: T1136
Tactics:
  • Persistence
Platforms:
  • Azure AD
  • Office 365
  • IaaS
  • Google Workspace
  • SaaS
  • Amazon Web Services (AWS)
Created: 12 Sep 2024
Last Modified: 30 May 2025