Login From Known Bad Source Using Calltype
This alert occurs when Lacework detects a login from a known malicious source location to the AWS CallType.
Why this Alert is Important
This alert indicates the presence of one of the following alerts:
| Alert Type | Description |
|---|---|
| AwsApiCall | An API was called. |
| AwsApiCall MFA | An API was called with MFA. |
| AwsServiceEvent | The service generated an event related to your trail. For example, this can occur when another account makes a call with a resource that you own. |
| AwsConsoleAction | An action was taken in the console that was not an API call. |
| AwsConsoleSignIn | A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console. |
Investigation
Conduct an AWS security audit, including:
- Review your AWS account credentials.
- Review your IAM users.
- Review your IAM groups.
- Review your IAM roles.
- Review your IAM providers for SAML and OpenID Connect (OIDC).
- If you have created a mobile app that makes requests to AWS, review your mobile apps.
- Review your Amazon EC2 security configuration.
- Review AWS policies in other services.
Check the AWS Management Console for any unusual new resources or a resource in a new AWS region.
Resolution
The following are resolutions that you can implement:
- Avoid using the root user for day-to-day operations.
- Use roles to delegate permissions.
- Grant least privilege.
- Use AWS-managed policies when adding permissions to your IAM identities.
- Validate your policies.
- Use customer-managed policies instead of inline policies.
- Use access levels to review IAM permissions.
- Configure a strong password policy for your users.
- Enable MFA.
- Use roles for applications that run on Amazon EC2 instances.
- Rotate credentials regularly.
- Remove unnecessary credentials.
- Use policy conditions for extra security.
- Monitor activity in your AWS account.