Use the Conformity Knowledge Base AI to help improve your Cloud Posture

User activity in blocklisted regions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RTM-008

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected activity within an AWS region that is not currently safelisted.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.

Security

The activity detected for this rule could be any user action initiated via AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDK, that is related to the creation, modification, or deletion of resources in your AWS account on a per-region basis. Cloud Conformity Real-Time Monitoring can detect essentially any AWS API call/event captured by the Amazon CloudTrail service logging system such as launching, stopping and terminating an EC2 instance, creating and modifying a VPC security group, changing the access permissions to an S3 bucket, deleting an SQS queue, etc.

A safelisted region is an AWS region where any activity is permitted, i.e. where any AWS API call is rendered as accepted, approved and recognized. A safelisted region is the reverse of a blocklisted region, where any AWS API request is evaluated as denied, unrecognised or suspicious.

In order to enable RTMA detection for this conformity rule, you must define first the list of AWS regions to safelist within the rule configuration using the Cloud Conformity dashboard. Once the rule is configured, you will be notified by the RTMA agent for any AWS action and/or API call detected within the blocklisted region(s).

Important Note:
To benefit from the RTMA detection used by this rule, you need to safelist first the desired AWS region(s) within the rule settings available on Cloud Conformity dashboard. For instance, if you can define "Oregon" (us-west-2) AWS region as safelisted region, if any activity is detected within a region other than Oregon, the activity is considered a risk and a notification alert will be send to you immediately.

Rationale

Monitoring your AWS account activity in real-time is essential in order to keep your account secure and adhere to security best practices. AWS activity monitoring and detection is also required when you must comply with the regulations enforced within your organization.

With Cloud Conformity RTMA per-region monitoring you will be able increase the visibility of the API activity within your AWS account for security and management purposes. This will help you maintain your AWS infrastructure secure by detecting any unusual activity within the blocklisted AWS region(s) and send real-time notifications, extremely useful when, for example, an unauthorized user is creating resources on a blocklisted AWS region, adding unexpected costs on your AWS bill.

For example, this type of detection could be also used to prevent data exposure or data loss within a so-called "regional storage unit" (i.e. an AWS region that is solely used for data storage and archiving using services such as S3 and Glacier).

Another example is when an organization/company is required to deploy their AWS workload in Sydney (ap-southeast-2) region for data sovereignty and data residency reasons only. The company can easily configure the rule to safelist only the Sydney region in order to avoid the risk of breaking the existent regulations, which could put their business at risk due to the rigorous Australian data privacy laws, the personal data (including credit card details, health records, personal information and financial records) cannot leave Australia.

Using Cloud Conformity RTMA to detect unexpected activity within your blocklisted AWS regions will help you take immediate actions based on the RTMA notifications delivered in real-time and ensure that your organization remains compliant with the data sovereignty based laws.

References

Publication date May 24, 2017