Users signed in to AWS from an approved country

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (not acceptable risk)
Rule ID: RTM-005

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected an AWS user authentication session initiated from a non-approved country. Allowing users from non-approved countries to access your AWS account could be very problematic because usually these authentication requests are performed by people with malicious intent.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.


In this context, an approved country is a known region from where the access to your AWS account is eligible and permitted (i.e. from where any AWS authentication request is accepted, approved and recognized). In opposition, a non-approved country is a banned region, from where all AWS user authentication requests are labeled as denied, unrecognised or suspicious.

As a security best practice, it is always recommended to restrict access to your AWS infrastructure from a country where your business is not operating from. For example, all employees within your company are supposed to connect to your AWS infrastructure from Sydney office, as the business main application should be managed only by the Australian division. If your AWS account needs to respond to an authentication request initiated from another country (other than Australia), the request could be a potential threat to your AWS infrastructure, therefore is evaluated as non-authorized.

Another example is when your company is required to deploy the AWS workload in Sydney region for data sovereignty and data residency reasons. You can easily configure the rule and define Australia as the only approved country in order to avoid the risk of breaking the existent regulations, which could put the business at risk due to the rigorous Australian data privacy laws.

In order to enable RTMA intrusion detection for this conformity rule, you must define the list of approved (safelisted) countries within the rule configuration using the Cloud Conformity dashboard. Once the rule is configured and all authorized countries are defined, the geo restriction detection becomes active and you will be notified by the RTMA agent for any login session initiated from a non-approved country which will help you take immediate action.

Important Note:
To benefit from the RTMA detection used by this rule, you need to specify first the list of approved countries within the rule settings.


Monitoring root and IAM access in real-time is essential for keeping your Amazon Web Services account safe. With the Cloud Conformity RTMA logon detection that filters authentication requests made from non-authorized countries you will gain real-time visibility into your AWS account access login activity and help you respond fast to any unauthorized access session that could represent a threat to your AWS infrastructure.

To reduce the exposure to this kind of security issue, you can make use of a VPN connection by connecting your AWS Virtual Private Cloud (VPC) to a remote network or machine or utilize the AWS Direct Connect service which can provide as well a dedicated private connection from a remote network/system to your AWS VPC. You can also combine the connection created with Direct Connect with an AWS hardware VPN connection in order to create an IPsec-encrypted tunnel.

Cloud Conformity RTMA enforces secure access to your AWS account by providing a real-time detection rule (based on behavioural analysis and assurance) that will create and send notifications to your recipient(s) in the event of user authentication from a non-approved country that represents a major source of hacking attacks according to the newest global cyber security investigation reports.


Publication date May 24, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Users signed in to AWS from an approved country

Risk level: Medium