AWS IAM Monitor

Monitor AWS IAM for user access and misconfiguration security issues.

AWS IAM Monitor

​Deploy AWS IAM Monitor in Vectrix​

Description

AWS IAM Analyzer helps avoid inappropriate and unauthorized users from gaining access to AWS IAM. It periodically queries AWS APIs for IAM account data within your AWS account and will alert to your configured output upon any detected issues (see Alerts List).

Access & Configuration

Alerts

User or Role created/deleted

Context: A new IAM user or role has been created or deleted. This could be problematic as unknown or unrecognized newly added users or roles could indicate unauthorized access to your AWS account. Deletion of a user or role could indicate malicious activity, such a removal of an administrator.

Action: Navigate to the IAM Console via the AWS Management Console and review the user or role that was created or deleted (AWS Documentation).

Root user used

Context: Use of the AWS account's root user has been detected. This could be problematic as use of the root user is generally avoided due to its automatically elevated permissions. Unrecognized use of the account could indicate malicious activity.

Action: Navigate to the IAM Console via the AWS Management Console and review the use of the root user (AWS Documentation).

Password policy modified

Context: Modification of the AWS account's password policy has been detected. This could be problematic as modification of the password policy could pose compliance concerns and make unauthorized access easier for bad actors.

Action: Navigate to the IAM Console via the AWS Management Console and review the AWS account's password policy (AWS Documentation).

User Inactivity (>90 days) detected

Context: User inactivity for more than 90 days has been detected. This could be problematic for compliance reasons, as well as the elevated risk of having unnecessary access provisioned to users who do not use their accounts (learn about the Principle of Least Privilege).

Action: Navigate to the IAM Console via the AWS Management Console and remove the inactive user if not needed any longer (AWS Documentation).

Old access key (>90 days) detected

Context: An access key older than 90 days has been detected. This could be problematic for compliance reasons, as well as the elevated risk of having old access keys being used, which increases the risk of a key being used elsewhere for unauthorized purposes.

Action: Navigate to the IAM Console via the AWS Management Console and rotate the access key in question (AWS Documentation).

Old password (>90 days) detected

Context: A user password older than 90 days has been detected. This could be problematic for compliance reasons, as well as the elevated risk of an old password being used for access, which increases the risk of the password being used elsewhere for unauthorized purposes.

Action: Navigate to the IAM Console via the AWS Management Console and reset the old password in question (AWS Documentation).

Multi-Factor Authentication disabled

Context: An AWS user without Multi-Factor Authentication enabled has been detected. This could be problematic for compliance reasons, as well as the elevated risk of unauthorized access being made easier without a second form of authentication being leveraged.

Action: Navigate to the IAM Console via the AWS Management Console and have the user enable MFA (AWS Documentation).

User or Role Over Privileged (Advanced)

This advanced alert is not enabled by default. To enable, visit the Deployment configurations once deployed.

Context: An AWS user has permissions that have been unused for more than 90 days. This could be problematic as unused permissions present an elevated risk of unauthorized or unintended actions taking place.

Action: Navigate to the IAM Console via the AWS Management Console and review IAM policies for unnecessary or unused permissions (AWS Documentation).

Privilege escalation ability (Advanced)

This advanced alert is not enabled by default. To enable, visit the Deployment configurations once deployed.

Context: An AWS user has permissions that could allow them to escalate their own permissions and administrative capabilities. This could be problematic as a user that escalates their privileges could make unapproved changes.

Action: Navigate to the IAM Console via the AWS Management Console and review IAM policies for permissions that could be used to escalate abilities (AWS Documentation).

Resource exposure ability (Advanced)

This advanced alert is not enabled by default. To enable, visit the Deployment configurations once deployed.

Context: An AWS user has permissions that could allow them to expose AWS resources to the internet. This could be problematic as exposed resources broaden the attack surface in which bad actors can utilize.

Action: Navigate to the IAM Console via the AWS Management Console and review IAM policies for permissions that could be used to expose resources (AWS Documentation).

Data leak ability (Advanced)

This advanced alert is not enabled by default. To enable, visit the Deployment configurations once deployed.

Context: An AWS user has permissions could allow them to make S3 Buckets public to the internet. This could be problematic as a user that exposes S3 Buckets can leak S3 objects.

Action: Navigate to the IAM Console via the AWS Management Console and review IAM policies for permissions that could be used to expose S3 Bucket objects (AWS Documentation).

Sample Alert

Sample Alert: MFA Disabled