RealTime Monitoring Rules
1: Root Account Console Login
π Use of the AWS root account is not recommended due to its unrestricted access to all resources. It poses significant risks if compromised.
- Section: Identity and Access Management
- Severity: Critical
- CWE: CWE-250 Execution with Unnecessary Privileges
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: NA
- Rule Set: RTM
2: Root Account Console Login without MFA
π The root account without Multi-Factor Authentication (MFA) significantly increases the risk of unauthorized access. MFA provides an additional layer of security.
- Section: Identity and Access Management
- Severity: Critical
- CWE: CWE-308: Use of Single-factor Authentication
- Assurance Scope: PCI, NIST
- Threat Modeling Principal: NA
- Rule Set: RTM
3: User Account Console Login without MFA
π User accounts without MFA can become potential security vulnerabilities. Enabling MFA ensures enhanced security.
- Section: Identity and Access Management
- Severity: Critical
- CWE: CWE-308: Use of Single-factor Authentication
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
4: New IAM User Created
π Monitoring the creation of new IAM users ensures that all users are authorized and reduces the risk of unauthorized access.
- Section: Identity and Access Management
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
5: New IAM Role Created
π Monitoring IAM roles ensures that roles are created with appropriate permissions and not misused.
- Section: Identity and Access Management
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
6: New IAM Group Created
π (Duplicate) Monitoring IAM Groups ensures that Groups are created with appropriate permissions and not misused.
- Section: Identity and Access Management
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
7: Security Group Opened to 0.0.0.0/0
π Security groups opened to all IP addresses can expose resources to potential threats. Ensure security groups are configured with least privilege.
- Section: Networking
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
8: Unauthorized API Calls
π Unauthorized API calls can indicate malicious activity or misconfigurations. It's essential to investigate such calls.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
9: IAM Policy Changes
π Changes to IAM policies can modify permissions and access controls, potentially exposing resources.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
10: CloudTrail configuration changes
π Changes to CloudTrail configurations can impact logging and monitoring, affecting the ability to detect and respond to incidents.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
11: Console Authentication failures
π Multiple console authentication failures can indicate brute-force attempts or unauthorized access attempts.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
12: Network Access Control Lists (NACL)
π Changes to NACLs can impact the security posture of VPCs by allowing or denying traffic.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
13: Changes to network gateways
π Monitoring changes to network gateways ensures that network traffic flows as expected and that there are no misconfigurations.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
14: Route table changes
π Route table changes can impact how traffic is routed within and outside of VPCs, potentially leading to exposure or disruption.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
15: VPC changes
π Monitoring changes to VPC configurations ensures that the network remains secure and operates as intended.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPPA
- Threat Modeling Principal: NA
- Rule Set: RTM
16: AWS Organization changes
π Changes to AWS Organizations can impact multiple accounts and services. Monitoring ensures adherence to best practices and organizational policies.
- Section: Cloudtrail
- Severity: High
- CWE: CWE-16 Configuration
- Assurance Scope: PCI, NIST, GDPR, HIPAA
- Threat Modeling Principal: NA
- Rule Set:RTM
Updated 3 months ago