Detect IAM User Sign-In Requests Outside Regular Business Hours

Monitoring IAM user activity outside regular business hours can help meet security and compliance requirements and enable you to respond fast to any unauthorized user access sessions or security breaches. Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine can detect in real time any AWS Management Console sign-in requests initiated by IAM users. An IAM user is an identity created for your Amazon Web Services account that has specific custom permissions (for example, permissions to manage KMS Customer Master Keys). You can use an IAM user name and password to sign in to AWS Management Console in order to access all AWS cloud resources - when the user has admin-level privileges, or a certain service or resource - when the user has a specific set of permissions that follows the principle of least privilege. Cloud Conformity RTMA integrates seamlessly with Amazon CloudTrail service which logs all sign-in attempts (successes and failures) made by IAM users. The RTMA engine scans the log files generated by AWS CloudTrail for logging data associated with IAM user sign-in requests, logging data that includes the time when the request was made, the IP address of the user signing in, the user agent used and whether MFA was enforced for that sign-in or not, then sends notifications to the recipients configured in the Cloud Conformity account settings whenever an IAM sign-in request is made outside regular business hours. The communication channels necessary for sending RTMA notifications can be easily configured within your Cloud Conformity account. The list of supported communication channels that you can use to receive alerts for AWS IAM sign-in requests outside 9AM – 5PM time interval, are SMS, Email, Slack, PagerDuty, ServiceNow and Zendesk.