RealTime Monitoring Rules

1: Root Account Console Login

šŸ“˜ Use of the AWS root account is not recommended due to its unrestricted access to all resources. It poses significant risks if compromised.

  • Section: Identity and Access Management
  • Severity: Critical
  • CWE: CWE-250 Execution with Unnecessary Privileges
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: NA
  • Rule Set: RTM

2: Root Account Console Login without MFA

šŸ“˜ The root account without Multi-Factor Authentication (MFA) significantly increases the risk of unauthorized access. MFA provides an additional layer of security.

  • Section: Identity and Access Management
  • Severity: Critical
  • CWE: CWE-308: Use of Single-factor Authentication
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: NA
  • Rule Set: RTM

3: User Account Console Login without MFA

šŸ“˜ User accounts without MFA can become potential security vulnerabilities. Enabling MFA ensures enhanced security.

  • Section: Identity and Access Management
  • Severity: Critical
  • CWE: CWE-308: Use of Single-factor Authentication
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

4: New IAM User Created

šŸ“˜ Monitoring the creation of new IAM users ensures that all users are authorized and reduces the risk of unauthorized access.

  • Section: Identity and Access Management
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

5: New IAM Role Created

šŸ“˜ Monitoring IAM roles ensures that roles are created with appropriate permissions and not misused.

  • Section: Identity and Access Management
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

6: New IAM Group Created

šŸ“˜ (Duplicate) Monitoring IAM Groups ensures that Groups are created with appropriate permissions and not misused.

  • Section: Identity and Access Management
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

7: Security Group Opened to 0.0.0.0/0

šŸ“˜ Security groups opened to all IP addresses can expose resources to potential threats. Ensure security groups are configured with least privilege.

  • Section: Networking
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

8: Unauthorized API Calls

šŸ“˜ Unauthorized API calls can indicate malicious activity or misconfigurations. It's essential to investigate such calls.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

9: IAM Policy Changes

šŸ“˜ Changes to IAM policies can modify permissions and access controls, potentially exposing resources.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

10: CloudTrail configuration changes

šŸ“˜ Changes to CloudTrail configurations can impact logging and monitoring, affecting the ability to detect and respond to incidents.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

11: Console Authentication failures

šŸ“˜ Multiple console authentication failures can indicate brute-force attempts or unauthorized access attempts.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

12: Network Access Control Lists (NACL)

šŸ“˜ Changes to NACLs can impact the security posture of VPCs by allowing or denying traffic.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

13: Changes to network gateways

šŸ“˜ Monitoring changes to network gateways ensures that network traffic flows as expected and that there are no misconfigurations.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

14: Route table changes

šŸ“˜ Route table changes can impact how traffic is routed within and outside of VPCs, potentially leading to exposure or disruption.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

15: VPC changes

šŸ“˜ Monitoring changes to VPC configurations ensures that the network remains secure and operates as intended.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

16: AWS Organization changes

šŸ“˜ Changes to AWS Organizations can impact multiple accounts and services. Monitoring ensures adherence to best practices and organizational policies.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPAA
  • Threat Modeling Principal: NA
  • Rule Set:RTM