Detect IAM User Sign-In Requests Outside Regular Business Hours

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)

Monitoring IAM user activity outside regular business hours can help meet security and compliance requirements and enable you to respond fast to any unauthorized user access sessions or security breaches. Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine can detect in real time any AWS Management Console sign-in requests initiated by IAM users. An IAM user is an identity created for your Amazon Web Services account that has specific custom permissions (for example, permissions to manage KMS Customer Master Keys). You can use an IAM user name and password to sign in to AWS Management Console in order to access all AWS cloud resources - when the user has admin-level privileges, or a certain service or resource - when the user has a specific set of permissions that follows the principle of least privilege. Cloud Conformity RTMA integrates seamlessly with Amazon CloudTrail service which logs all sign-in attempts (successes and failures) made by IAM users. The RTMA engine scans the log files generated by AWS CloudTrail for logging data associated with IAM user sign-in requests, logging data that includes the time when the request was made, the IP address of the user signing in, the user agent used and whether MFA was enforced for that sign-in or not, then sends notifications to the recipients configured in the Cloud Conformity account settings whenever an IAM sign-in request is made outside regular business hours. The communication channels necessary for sending RTMA notifications can be easily configured within your Cloud Conformity account. The list of supported communication channels that you can use to receive alerts for AWS IAM sign-in requests outside 9AM – 5PM time interval, are SMS, Email, Slack, PagerDuty, ServiceNow and Zendesk.


Monitoring IAM access in real-time is essential for keeping your Amazon Web Services account secure as it helps you gain more visibility into your account user activity. The AWS IAM user sign-in requests made to AWS Management Console outside regular business hours are automatically labeled as suspicious. Allowing IAM users to access your AWS account outside regular business hours (i.e. outside 9AM – 5PM interval) could be very problematic because these authentication requests are usually performed by unauthorized people. Once this RTMA rule is enabled, the system sends notifications whenever AWS Management Console sign-in requests are performed outside the 9AM – 5PM timeframe. Besides granting your IAM users the minimum amount of privileges necessary to perform their assigned tasks, Cloud Conformity strongly recommends using this conformity rule to monitor your IAM user activity outside regular business hours.


Publication date Sep 9, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Detect IAM User Sign-In Requests Outside Regular Business Hours

Risk level: Low