Open menu
-->

AWS Activity Detected Within Blacklisted Region(s)

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected activity within an AWS region that is not currently whitelisted.

This rule resolution is part of the Cloud Conformity Security Package

The activity detected for this rule could be any user action initiated via AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDK, that is related to the creation, modification, or deletion of resources in your AWS account on a per-region basis. Cloud Conformity Real-Time Monitoring can detect essentially any AWS API call/event captured by the Amazon CloudTrail service logging system such as launching, stopping and terminating an EC2 instance, creating and modifying a VPC security group, changing the access permissions to an S3 bucket, deleting an SQS queue, etc.

A whitelisted region is an AWS region where any activity is permitted, i.e. where any AWS API call is rendered as accepted, approved and recognized. A whitelisted region is the reverse of a blacklisted region, where any AWS API request is evaluated as denied, unrecognised or suspicious.

In order to enable RTMA detection for this conformity rule, you must define first the list of AWS regions to whitelist within the rule configuration using the Cloud Conformity dashboard. Once the rule is configured, you will be notified by the RTMA agent for any AWS action and/or API call detected within the blacklisted region(s).

Important Note:
To benefit from the RTMA detection used by this rule, you need to whitelist first the desired AWS region(s) within the rule settings available on Cloud Conformity dashboard. For instance, if you can define "Oregon" (us-west-2) AWS region as whitelisted region, if any activity is detected within a region other than Oregon, the activity is considered a risk and a notification alert will be send to you immediately.

Rationale

Monitoring your AWS account activity in real-time is essential in order to keep your account secure and adhere to security best practices. AWS activity monitoring and detection is also required when you must comply with the regulations enforced within your organization.

With Cloud Conformity RTMA per-region monitoring you will be able increase the visibility of the API activity within your AWS account for security and management purposes. This will help you maintain your AWS infrastructure secure by detecting any unusual activity within the blacklisted AWS region(s) and send real-time notifications, extremely useful when, for example, an unauthorized user is creating resources on a blacklisted AWS region, adding unexpected costs on your AWS bill.

For example, this type of detection could be also used to prevent data exposure or data loss within a so-called "regional storage unit" (i.e. an AWS region that is solely used for data storage and archiving using services such as S3 and Glacier).

Another example is when an organization/company is required to deploy their AWS workload in Sydney (ap-southeast-2) region for data sovereignty and data residency reasons only. The company can easily configure the rule to whitelist only the Sydney region in order to avoid the risk of breaking the existent regulations, which could put their business at risk due to the rigorous Australian data privacy laws, the personal data (including credit card details, health records, personal information and financial records) cannot leave Australia.

Using Cloud Conformity RTMA to detect unexpected activity within your blacklisted AWS regions will help you take immediate actions based on the RTMA notifications delivered in real-time and ensure that your organization remains compliant with the data sovereignty based laws.

References

Publication date May 24, 2017