Monitoring AWS account user activity can help you and your organization to meet security and compliance requirements and enable you to respond fast to any unauthorized access sessions or potential security breaches. TrendAI Vision One™ Cloud Risk Management can detect in real time any successful and unsuccessful AWS Management Console sign-in events triggered by IAM and federated users. An IAM user is an identity created for your Amazon Web Services account that has specific custom permissions (for example, permissions to manage RDS database instances within a particular region). You can use an IAM user name and password to sign in to your AWS Management Console in order to access all your provisioned resources - when the user has admin-level privileges, or to access a certain service or resource - when the user has a specific set of permissions that follows the principle of least privilege. A federated user is an entity managed externally that can be authorized to access AWS service APIs and AWS resources. For example, you can authorize a federated user to call AWS CloudFormation APIs as an alternative to creating IAM users to use CloudFormation. The Cloud Risk Management RTMA engine integrates with Amazon CloudTrail service which records the attempts to sign in to the AWS Management Console. All AWS IAM user sign-in attempts (successes and failures), all federated user sign-in events (successes and failures) and all successful AWS root account sign-in attempts (root sign-in failures are not detected) generate records in CloudTrail log files. The RTMA engine scans the CloudTrail log files for entries associated with these sign-in events, including the IP address of the entity signing in and whether MFA was enforced for that sign-in, then sends notifications to the recipients defined in the Cloud Risk Management Dashboard settings. The communication channels for sending these notifications can be easily configured within Cloud Risk Management Dashboard. The list of supported communication channels that you can use to receive AWS IAM sign-in event alerts are SMS, Email, Slack, PagerDuty, ServiceNow and Zendesk.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.
This rule can help you work with the AWS Well-Architected Framework.
Security Monitoring IAM access in real-time is essential for keeping your Amazon Web Services account secure. When an IAM user or a federated user is used by an inexperienced person within your organization, his actions can lead to severe security issues, data leaks, data loss or even unexpected charges on your AWS bill – that's why is important to know who is signing in to our AWS account. Once enabled, TrendAI Vision One™ Cloud Risk Management RTMA starts monitoring IAM sign-in events in order to help you gain visibility into your account user activity and sends notifications whenever AWS Management Console sign-in events are produced. Besides granting your IAM and federated users the minimum amount of privileges necessary to perform their assigned tasks, TrendAI Vision One™ Cloud Risk Management recommends using this RTMA feature to monitor 24/7 your AWS account user activity.