Guides
Start typing to search…

RealTime Monitoring Rules

1: Root Account Console Login

📘 Use of the AWS root account is not recommended due to its unrestricted access to all resources. It poses significant risks if compromised.

  • Section: Identity and Access Management
  • Severity: Critical
  • CWE: CWE-250 Execution with Unnecessary Privileges
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: NA
  • Rule Set: RTM

2: Root Account Console Login without MFA

📘 The root account without Multi-Factor Authentication (MFA) significantly increases the risk of unauthorized access. MFA provides an additional layer of security.

  • Section: Identity and Access Management
  • Severity: Critical
  • CWE: CWE-308: Use of Single-factor Authentication
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: NA
  • Rule Set: RTM

3: User Account Console Login without MFA

📘 User accounts without MFA can become potential security vulnerabilities. Enabling MFA ensures enhanced security.

  • Section: Identity and Access Management
  • Severity: Critical
  • CWE: CWE-308: Use of Single-factor Authentication
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

4: New IAM User Created

📘 Monitoring the creation of new IAM users ensures that all users are authorized and reduces the risk of unauthorized access.

  • Section: Identity and Access Management
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

5: New IAM Role Created

📘 Monitoring IAM roles ensures that roles are created with appropriate permissions and not misused.

  • Section: Identity and Access Management
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

6: New IAM Group Created

📘 (Duplicate) Monitoring IAM Groups ensures that Groups are created with appropriate permissions and not misused.

  • Section: Identity and Access Management
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

7: Security Group Opened to 0.0.0.0/0

📘 Security groups opened to all IP addresses can expose resources to potential threats. Ensure security groups are configured with least privilege.

  • Section: Networking
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

8: Unauthorized API Calls

📘 Unauthorized API calls can indicate malicious activity or misconfigurations. It's essential to investigate such calls.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

9: IAM Policy Changes

📘 Changes to IAM policies can modify permissions and access controls, potentially exposing resources.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

10: CloudTrail configuration changes

📘 Changes to CloudTrail configurations can impact logging and monitoring, affecting the ability to detect and respond to incidents.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

11: Console Authentication failures

📘 Multiple console authentication failures can indicate brute-force attempts or unauthorized access attempts.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

12: Network Access Control Lists (NACL)

📘 Changes to NACLs can impact the security posture of VPCs by allowing or denying traffic.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

13: Changes to network gateways

📘 Monitoring changes to network gateways ensures that network traffic flows as expected and that there are no misconfigurations.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

14: Route table changes

📘 Route table changes can impact how traffic is routed within and outside of VPCs, potentially leading to exposure or disruption.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

15: VPC changes

📘 Monitoring changes to VPC configurations ensures that the network remains secure and operates as intended.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPPA
  • Threat Modeling Principal: NA
  • Rule Set: RTM

16: AWS Organization changes

📘 Changes to AWS Organizations can impact multiple accounts and services. Monitoring ensures adherence to best practices and organizational policies.

  • Section: Cloudtrail
  • Severity: High
  • CWE: CWE-16 Configuration
  • Assurance Scope: PCI, NIST, GDPR, HIPAA
  • Threat Modeling Principal: NA
  • Rule Set:RTM

Updated 2 months ago