Service Accessed In Region
This alert occurs when Lacework detects a user accessing a service in a specific region for the first time.
Why this Alert is Important
Accessing services from an unrecognized region indicates that your AWS account (or an IAM user whose permissions include enable, disable, and list Regions) is possibly compromised.
Investigation
Conduct an AWS security audit, including:
- Search for any unrecognized or unauthorized resources.
- Search your AWS bill for services that you don't normally use, resources in AWS Regions that you don't normally use, or a significant change in the size of your bill.
- Review your IAM user who accessed the service and IAM users who have permissions to enable, disable, and list Regions.
Resolution
The following are resolutions that you can implement:
- Rotate and delete all AWS access keys.
- Rotate any potentially unauthorized IAM user credentials.
- Delete any unrecognized or unauthorized resources.
- Enable MFA.
- Avoid using the root user for day-to-day operations.
- If your AWS management account is compromised, immediately reach out to AWS support.
- Once you have regained control of your AWS account, implement best practices for managing your organization's AWS accounts and users.