Login From Source Using Calltype
This alert occurs when Lacework detects a new edge between the geolocation and the AWS CallType.
Why this Alert is Important
This alert indicates the presence of one of the following alerts:
| Alert Type | Description |
|---|---|
| AwsApiCall | An API was called. |
| AwsApiCallMFA | An API was called with MFA. |
| AwsServiceEvent | The service generated an event related to your trail. For example, this can occur when another account makes a call with a resource that you own. |
| AwsConsoleAction | An action was taken in the console that was not an API call. |
| AwsConsoleSignIn | A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console. |
Investigation
Conduct an AWS security audit, including:
- Review your AWS account credentials.
- Review your IAM users.
- Review your IAM groups.
- Review your IAM roles.
- Review your IAM providers for SAML and OpenID Connect (OIDC).
- If you have created a mobile app that makes requests to AWS, review your mobile apps.
- Review your Amazon EC2 security configuration.
- Review AWS policies in other services.
Check the AWS Management Console for any unusual new resources or a resource in a new AWS region.
Resolution
The following are resolutions that you can implement:
- Rotate and delete all AWS access keys.
- Rotate any potentially unauthorized IAM user credentials.
- Delete any unrecognized or unauthorized resources.
- Enable MFA.
- Avoid using the root user for day-to-day operations.