RealTime Monitoring Rules
1: Root Account Console Login
š Use of the AWS root account is not recommended due to its unrestricted access to all resources. It poses significant risks if compromised.
- Section: Identity and Access Management
- Severity: Critical
- CWE: CWE-250 Execution with Unnecessary Privileges
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: NA
- Rule Set: RTM
2: Root Account Console Login without MFA
š The root account without Multi-Factor Authentication (MFA) significantly increases the risk of unauthorized access. MFA provides an additional layer of security.
- Section: Identity and Access Management
- Severity: Critical
- CWE: CWE-308: Use of Single-factor Authentication
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: NA
- Rule Set: RTM
3: User Account Console Login without MFA
š User accounts without MFA can become potential security vulnerabilities. Enabling MFA ensures enhanced security.
- Section: Identity and Access Management
- Severity: Critical
- CWE: CWE-308: Use of Single-factor Authentication
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
4: New IAM User Created
š Monitoring the creation of new IAM users ensures that all users are authorized and reduces the risk of unauthorized access.
- Section: Identity and Access Management
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
5: New IAM Role Created
š Monitoring IAM roles ensures that roles are created with appropriate permissions and not misused.
- Section: Identity and Access Management
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
6: New IAM Group Created
š (Duplicate) Monitoring IAM Groups ensures that Groups are created with appropriate permissions and not misused.
- Section: Identity and Access Management
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
7: Security Group Opened to 0.0.0.0/0
š Security groups opened to all IP addresses can expose resources to potential threats. Ensure security groups are configured with least privilege.
- Section: Networking
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
8: Unauthorized API Calls
š Unauthorized API calls can indicate malicious activity or misconfigurations. It's essential to investigate such calls.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
9: IAM Policy Changes
š Changes to IAM policies can modify permissions and access controls, potentially exposing resources.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
10: CloudTrail configuration changes
š Changes to CloudTrail configurations can impact logging and monitoring, affecting the ability to detect and respond to incidents.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
11: Console Authentication failures
š Multiple console authentication failures can indicate brute-force attempts or unauthorized access attempts.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
12: Network Access Control Lists (NACL)
š Changes to NACLs can impact the security posture of VPCs by allowing or denying traffic.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
13: Changes to network gateways
š Monitoring changes to network gateways ensures that network traffic flows as expected and that there are no misconfigurations.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
14: Route table changes
š Route table changes can impact how traffic is routed within and outside of VPCs, potentially leading to exposure or disruption.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
15: VPC changes
š Monitoring changes to VPC configurations ensures that the network remains secure and operates as intended.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
16: AWS Organization changes
š Changes to AWS Organizations can impact multiple accounts and services. Monitoring ensures adherence to best practices and organizational policies.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPAA
- Threat Modeling Principal: NA
- Rule Set:RTM
Updated 11 months ago