Open menu
-->

AWS User Signed In From Blacklisted IP Address

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected an AWS user authentication request initiated from a non-authorized IP address (e.g. 119.168.222.122/32) or IP range (e.g. 10.0.0.0/16).
Allowing users to authenticate from blacklisted IPs could be very problematic because usually the authentication requests are coming from infected networks or individual machines, bots/botnets, people that are trying to access your AWS environment with malicious intent or former employees that are no longer qualified to access your AWS account resources.

This rule resolution is part of the Cloud Conformity Security Package

For this conformity rule, a whitelisted IP represents an IP address that you can trust, that belongs to an eligible AWS user (root or IAM) which have the permission to access your AWS environment, meaning that the user authentication request is accepted, approved and recognized. In opposition, a blacklisted IP is an IP address that pose a threat to your AWS environment, from where all user authentication requests are marked as banned, unrecognized or suspicious.

This RTMA rule will help you to restrict access to your AWS services and resources only from a known IP address or range. As a security best practice, it is always recommended to restrict access to your AWS account from a compromised IP address or IP range as an effective way of minimizing the impact of security breaches.

In order to enable RTMA monitoring and detection for the current conformity rule, you must define the list of authorized (whitelisted) IP addresses or IP ranges within the rule configuration using the Cloud Conformity dashboard. Once the rule is configured and all whitelisted IPs are correctly defined, the intrusion detection becomes active and you will be notified by the Cloud Conformity RTMA agent for any login session initiated from a non-authorized IP address, notification alert that can help you take immediate actions to secure your AWS account, such as deleting the non-authorized IAM user or updating the right IAM policy by specifying the 'aws:SourceIp' condition within the access policy statement.

Important Note:
To adhere to security best practices and benefit from the RTMA detection used by this rule, you need to define first the IPs whitelist within the rule settings. You can specify the private individual IPs or private IP ranges using the CIDR notation, for example use 119.168.222.122/32 to whitelist a single IP address or 10.0.0.0/16 to whitelist an entire IP range, or you can specify a public individual IPs and IP ranges such as 183.136.232.105/32 and 185.0.0.0/16.

Monitoring user access in real-time is essential for keeping your Amazon Web Services account safe. With the Cloud Conformity RTMA logon monitoring that detects authentication requests made from non-authorized IP addresses you will gain real-time visibility into your AWS account login activity and help you respond fast to any unauthorized access session that could represent a threat to your AWS account.

Rationale

To reduce exposure to this type of security issue, you can make use of a VPN connection by linking your AWS Virtual Private Cloud (VPC) to a remote network or individual machine or utilize the AWS Direct Connect service which makes it easy to establish a dedicated network connection from your individual user machines or organization network to your AWS VPC. You can also combine the connection created with Direct Connect with an AWS hardware VPN connection in order to create an IPsec-encrypted tunnel. If AWS Direct Connect or VPN connections are in use, the AWS users can access the organization resources only from an internal network to prevent all unauthorized access. Also, since most organizations disable internal and VPN network access when an employee or independent contractor exits, the access to the AWS environment for these users is automatically canceled.

Cloud Conformity RTMA enforces secure access to your AWS account by providing this real-time detection rule, responsible for sending notifications to you and your recipients in the event of an authentication from a blacklisted IP address or IP range, alert notifications that could help mitigate several types of risks such as data theft, hacking, corporate espionage, several kinds of attacks or even a former employee from your organization with malicious intentions.

References

Publication date May 24, 2017