Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Users signed in to AWS from a safelisted IP Address

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: RTM-007

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected an AWS user authentication request initiated from a non-authorized IP address (e.g. 119.168.222.122).
Allowing users to authenticate from blocklisted IPs could be very problematic because usually the authentication requests are coming from infected networks or individual machines, bots/botnets, people that are trying to access your AWS environment with malicious intent or former employees that are no longer qualified to access your AWS account resources.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.

Security

For this conformity rule, a safelisted IP represents an IP address that you can trust, that belongs to an eligible AWS user (root or IAM) which have the permission to access your AWS environment, meaning that the user authentication request is accepted, approved and recognized. In opposition, a blocklisted IP is an IP address that pose a threat to your AWS environment, from where all user authentication requests are marked as banned, unrecognized or suspicious.

This RTMA rule will help you to restrict access to your AWS services and resources only from a known IP address. As a security best practice, it is always recommended to restrict access to your AWS account from a compromised IP address as an effective way of minimizing the impact of security breaches.

In order to enable RTMA monitoring and detection for the current conformity rule, you must define the list of authorized (safelisted) IP addresses within the rule configuration using the Cloud Conformity dashboard. Once the rule is configured and all safelisted IPs are correctly defined, the intrusion detection becomes active and you will be notified by the Cloud Conformity RTMA agent for any login session initiated from a non-authorized IP address, notification alert that can help you take immediate actions to secure your AWS account, such as deleting the non-authorized IAM user or updating the right IAM policy by specifying the 'aws:SourceIp' condition within the access policy statement.

Important Note:
To adhere to security best practices and benefit from the RTMA detection used by this rule you need to first define the IPs safelist within the rule settings. You can specify the private individual IPs, for example, use 119.168.222.122 to safelist a single IP address or you can specify a public individual IPs such as 183.136.232.105

Monitoring user access in real-time is essential for keeping your Amazon Web Services account safe. With the Cloud Conformity RTMA logon monitoring that detects authentication requests made from non-authorized IP addresses you will gain real-time visibility into your AWS account login activity and help you respond fast to any unauthorized access session that could represent a threat to your AWS account.

Rationale

To reduce exposure to this type of security issue, you can make use of a VPN connection by linking your AWS Virtual Private Cloud (VPC) to a remote network or individual machine or utilize the AWS Direct Connect service which makes it easy to establish a dedicated network connection from your individual user machines or organization network to your AWS VPC. You can also combine the connection created with Direct Connect with an AWS hardware VPN connection in order to create an IPsec-encrypted tunnel. If AWS Direct Connect or VPN connections are in use, the AWS users can access the organization resources only from an internal network to prevent all unauthorized access. Also, since most organizations disable internal and VPN network access when an employee or independent contractor exits, the access to the AWS environment for these users is automatically canceled.

Cloud Conformity RTMA enforces secure access to your AWS account by providing this real-time detection rule. This rule is responsible for sending notifications to you and your recipients in the event of an authentication from a blocklisted IP address. These alert notifications could help mitigate several types of risks, such as data theft, hacking, corporate espionage, as well as several other kinds of attacks, or even a former employee from your organisation acting with malicious intentions.

References

Publication date May 24, 2017