API Failed With Error
This alert occurs when Lacework detects an API that failed with an error within a geolocation.
Why this Alert is Important
By default, AWS Identity and Access Management (IAM) users don't have permission to create or modify Amazon resources or perform tasks using the Amazon API unless they've been explicitly granted permission through IAM policies. If an IAM user attempts to perform an action for which permission has not been granted, the request returns the following error: Client.UnauthorizedOperation
.
Investigation
Use AWS CloudTrail data to view and track API calls made to your account. Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
- Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
- Whether the request was made with temporary security credentials for a role or federated user.
- Whether the request was made by another AWS service.
Resolution
The following are resolutions that you can implement:
- Rotate and delete all AWS access keys.
- Rotate any potentially unauthorized IAM user credentials.
- Delete any unrecognized or unauthorized resources.
- Enable MFA.
- Use Amazon GuardDuty to detect suspicious activity within your AWS account.
- Use AWS Access policies to control how IAM users access your resources or buckets. Additionally, you can use Virtual Private Cloud (VPC) endpoints with S3 bucket policies to restrict access to specific VPC endpoints.
- For use cases that require the sharing of S3 objects between different sources, use S3 Access Points to create permission sets that restrict access to only those within your private network.
- Use an access control list (ACL) to securely grant access to your AWS resources to other AWS accounts.