Skip to main content

Login From New Bad Source Using Calltype

This alert occurs when Lacework detects a login from a new malicious source location to the AWS CallType.

Why this Alert is Important

This alert indicates the presence of one of the following alerts:

Alert TypeDescription
AwsApiCallAn API was called.
AwsApiCall MFAAn API was called with MFA.
AwsServiceEventThe service generated an event related to your trail. For example, this can occur when another account makes a call with a resource that you own.
AwsConsoleActionAn action was taken in the console that was not an API call.
AwsConsoleSignInA user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console.

Investigation

Conduct an AWS security audit, including:

  • Review your AWS account credentials.
  • Review your IAM users.
  • Review your IAM groups.
  • Review your IAM roles.
  • Review your IAM providers for SAML and OpenID Connect (OIDC).
  • If you have created a mobile app that makes requests to AWS, review your mobile apps.
  • Review your Amazon EC2 security configuration.
  • Review AWS policies in other services.

Check the AWS Management Console for any unusual new resources or a resource in a new AWS region.

Resolution

The following are resolutions that you can implement:

  • Avoid using the root user for day-to-day operations.
  • Use roles to delegate permissions.
  • Grant least privilege.
  • Use AWS-managed policies when adding permissions to your IAM identities.
  • Validate your policies.
  • Use customer-managed policies instead of inline policies.
  • Use access levels to review IAM permissions.
  • Configure a strong password policy for your users.
  • Enable MFA.
  • Use roles for applications that run on Amazon EC2 instances.
  • Rotate credentials regularly.
  • Remove unnecessary credentials.
  • Use policy conditions for extra security.
  • Monitor activity in your AWS account.