Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for AWS IAM

AWS IAM
AWS IAM icon

Out-of-the-Box Security For AWS IAM Includes:

Alerts - 15

Stay on top of AWS IAM key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Assume Role Policy Was Updated

This rule detects an update to the "AssumeRole" policy The "AssumeRole" policy is a critical aspect of IAM that is used to delegate access to AWS resources in a secure and controlled manner. Impact An adversary may attempt to modify a assume role policy in order to weaken an organization's security controls. Mitigation Investigate the change and validate if the user was authorized to perform the update action. MITRE Tactic: TA0004 MITRE Technique: T1484

Account Password Policy Was Updated

This rule detects the updating of a password policy. Impact An adversary may attempt to modify a password policy in order to weaken an organization's security controls. Mitigation Investigate the change and validate if the user was authorized to perform the update action. MITRE Tactic: TA0004 MITRE Technique: T1484

A User Was Removed From A Group

This rule detects the removing of a user from a group. Impact An adversary may remove a group to revoke the access of users to disrupt normal operations. Mitigation Verify that the remove operation and the user performing it were legitimate. MITRE Tactic: TA0040 MITRE Technique: T1531

A User's Inline Policy Was Updated

This rule detects updates to an IAM inline policy of a user. Impact Attaching inline policies with excessive privileges could lead to privilege escalation, it is hard to keep track of permissions and make adjustments since the policy is individual for that user and can potentially allow a malicious actor to commit malicious actions and enable an attack. Mitigation Remove the inline user policy, If the user requires these privileges to perform his work and daily tasks, add him to a designated user group with the relevant permissions. Always manage permissions and privileges using specific role groups with specific permissions this is the preferred way to handle user permissions in AWS and is considered the best practice. MITRE Tactic: TA0004 MITRE Technique: T1078

Password Recovery Request

This rule detects AWS IAM password recovery requests. Impact Password recovery is an important authentication mechanism; An unauthorized password recovery request could indicate malicious activity. Mitigation Investigate the change and validate the action since password recovery request might be an adversary tactic for account take over. MITRE Tactic: TA0003 MITRE Technique: T1098

Virtual MFA Deleted For Root User

This rule detects the deletion of the MFA configuration of the root user. A virtual MFA is software two-factor authentication solution (authenticator app) which for itself is considered less safe than a hardware 2FA device. Impact Without MFA, access to the root user will only require a username / password combination. This significantly reduces the security of the root account and if performed by an adversary is definitely a malicious action. In general, according to AWS guidelines, the use of the root account is unadvised. Therefore root user activity is considered a highly irregular event and could indicate an attacker activity on the root account. Mitigation Investigate the change and validate the action with the performing user since the removal of MFA might indicate malicious activity. MITRE Tactic: TA0040 MITRE Technique: T1531

A Group Was Deleted

This rule detects the deletion of a user group. Impact Group deletion actions should be reviewed and validated as authorized. An adversary can delete a group to harm or evade detection. Bulk deletion operations (many consecutive group deletion alerts) should be especially inspected. consecutive deletion alerts can also be configured by fine-tuning this alert. Mitigation Validate that the action was approved and investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

A User Deleted Via AWS SSO / IAM Identity Center

This rule detects the deletion of an AWS user via AWS SSO / IAM Identity center. This differs from a user being deleted through IAM console as it could also include users from other directories as Okta / Active Directory / Azure AD / JumpCloud etc. Impact User deletion actions should be reviewed and validated as authorized. An adversary can delete a user to harm or evade detection. Bulk deletion operations (many consecutive user deletion alerts) should be especially inspected. consecutive deletion alerts can also be configured by fine-tuning this alert. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

User Deleted

This rule detects the deletion of an AWS user. Impact User deletion actions should be reviewed and validated as authorized. An adversary can delete a user to harm or evade detection. Bulk deletion operations (many consecutive user deletion alerts) should be especially inspected. consecutive deletion alerts can also be configured by fine-tuning this alert. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

A User Was Granted Programmatic Access

This rule detects when a user is given an access key. When an IAM user is given an access key in AWS, it allows the user to programmatically access AWS resources and services using the AWS API or command-line tools. The access key consists of an access key ID and a secret access key, which are required to authenticate the user's requests to AWS. Impact If an adversary gains access to an IAM user's access key, they can use it to launch attacks on AWS resources and services, such as launching instances, accessing data, or modifying configurations. Mitigation To mitigate these risks, it is recommended to enable MFA for all IAM users and rotate access keys regularly. Additionally, users should only be granted the minimum permissions necessary to perform their required tasks, and those permissions should be reviewed and updated regularly to prevent unauthorized access. MITRE Tactic: TA0005 MITRE Technique: T1578

User Created

This rule detects when an IAM user is created. Impact If an adversary gains access to create an IAM user in an AWS environment, he can create a new IAM user with elevated privileges and use it to gain access to sensitive data or resources. They could also modify existing IAM policies to gain additional permissions. Mitigation Verify if the create user action was valid. To mitigate the impact of such attacks, it is recommended to follow AWS best practices for IAM management, such as enabling multi-factor authentication (MFA) and monitoring IAM activity. MITRE Tactic: TA0005 MITRE Technique: T1578

Access Analyzer Deleted

IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. Impact When an access analyzer is deleted, It gives a chance to the malicious actor to share access to the environment without being detected. Mitigation Validate that this activity is legitimate, if not investigate further according to company policies. Create a new Access Analyzer. MITRE Tactic: TA0006 MITRE Technique: T1552

Building Block - Remove User From Admin Group

This alert detects whenever an IAM user is removed from the admins group.

Building Block - Add User To Admin Group

This alert detects whenever an IAM user is added to the admins group.

Flow Alert - Ephemeral Admins

This flow alert detects when a user was added briefly to the admins group and then removed after a short period of time

Documentation

Learn more about Coralogix's out-of-the-box integration with AWS IAM in our documentation.

Read More
Schedule Demo