|   Trend Micro Cloud One™
Open menu

Users signed in to AWS from a whitelisted IP Address

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 03 December 2019
Risk level: High (not acceptable risk)
Rule ID: RTM-007

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected an AWS user authentication request initiated from a non-authorized IP address (e.g. 119.168.222.122).
Allowing users to authenticate from blacklisted IPs could be very problematic because usually the authentication requests are coming from infected networks or individual machines, bots/botnets, people that are trying to access your AWS environment with malicious intent or former employees that are no longer qualified to access your AWS account resources.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Real-Time Threat Monitoring

Security

For this conformity rule, a whitelisted IP represents an IP address that you can trust, that belongs to an eligible AWS user (root or IAM) which have the permission to access your AWS environment, meaning that the user authentication request is accepted, approved and recognized. In opposition, a blacklisted IP is an IP address that pose a threat to your AWS environment, from where all user authentication requests are marked as banned, unrecognized or suspicious.

This RTMA rule will help you to restrict access to your AWS services and resources only from a known IP address. As a security best practice, it is always recommended to restrict access to your AWS account from a compromised IP address as an effective way of minimizing the impact of security breaches.

In order to enable RTMA monitoring and detection for the current conformity rule, you must define the list of authorized (whitelisted) IP addresses within the rule configuration using the Cloud Conformity dashboard. Once the rule is configured and all whitelisted IPs are correctly defined, the intrusion detection becomes active and you will be notified by the Cloud Conformity RTMA agent for any login session initiated from a non-authorized IP address, notification alert that can help you take immediate actions to secure your AWS account, such as deleting the non-authorized IAM user or updating the right IAM policy by specifying the 'aws:SourceIp' condition within the access policy statement.

Important Note:
To adhere to security best practices and benefit from the RTMA detection used by this rule you need to first define the IPs whitelist within the rule settings. You can specify the private individual IPs, for example, use 119.168.222.122 to whitelist a single IP address or you can specify a public individual IPs such as 183.136.232.105

Monitoring user access in real-time is essential for keeping your Amazon Web Services account safe. With the Cloud Conformity RTMA logon monitoring that detects authentication requests made from non-authorized IP addresses you will gain real-time visibility into your AWS account login activity and help you respond fast to any unauthorized access session that could represent a threat to your AWS account.

Rationale

To reduce exposure to this type of security issue, you can make use of a VPN connection by linking your AWS Virtual Private Cloud (VPC) to a remote network or individual machine or utilize the AWS Direct Connect service which makes it easy to establish a dedicated network connection from your individual user machines or organization network to your AWS VPC. You can also combine the connection created with Direct Connect with an AWS hardware VPN connection in order to create an IPsec-encrypted tunnel. If AWS Direct Connect or VPN connections are in use, the AWS users can access the organization resources only from an internal network to prevent all unauthorized access. Also, since most organizations disable internal and VPN network access when an employee or independent contractor exits, the access to the AWS environment for these users is automatically canceled.

Cloud Conformity RTMA enforces secure access to your AWS account by providing this real-time detection rule. This rule is responsible for sending notifications to you and your recipients in the event of an authentication from a blacklisted IP address. These alert notifications could help mitigate several types of risks, such as data theft, hacking, corporate espionage, as well as several other kinds of attacks, or even a former employee from your organisation acting with malicious intentions.

References

Publication date May 24, 2017

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Users signed in to AWS from a whitelisted IP Address

Risk level: High