User Used Service In Region
This alert occurs when Lacework detects a user using an API for a service in a specific region for the first time.
Why this Alert is Important
API calls from an unusual geolocation indicate your AWS account is compromised.
Investigation
Use AWS CloudTrail data to view and track API calls made to your account using the following:
- CloudTrail Event history
- CloudTrail Lake
- Amazon CloudWatch Logs
- Amazon Simple Storage Service (Amazon S3) archived log files.
Follow the following recommendations to remediate compromised credentials in your AWS environment:
- Identify the affected IAM entity and the API call used. The IAM entity (either an IAM user or role) and its identifying information is listed in the Resource section of a finding's details. You can determine the type of IAM entity involved using the User Type field or the Access key ID. The API call used is listed as API in the finding details.
- Review permission from the IAM entity.
- Determine whether the IAM entity credentials were used legitimately.
Resolution
The following are resolutions that you can implement:
- Rotate and delete all AWS access keys.
- Rotate any potentially unauthorized IAM user credentials.
- Delete any unrecognized or unauthorized resources.
- Enable MFA.
- Use Amazon GuardDuty to detect suspicious activity within your AWS account.
- Use AWS Access policies to control how IAM users access your resources or buckets. Additionally, you can use Virtual Private Cloud (VPC) endpoints with S3 bucket policies to restrict access to specific VPC endpoints.
- For use cases that require the sharing of S3 objects between different sources, use S3 Access Points to create permission sets that restrict access to only those within your private network.
- Use an access control list (ACL) to securely grant access to your AWS resources to other AWS accounts.