Features
Integrations
Dashboards
Log Management
APM
Security Monitoring
Network Monitoring
Synthetic Monitoring
Real User Monitoring
Serverless
Alerts
API
< Back to rules search
AWS IAM User Changing Sensitive Configurations
Set up the guardduty integration.
Overview
Goal
Detect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.
Strategy
This rule lets you monitor these GuardDuty integration findings:
- Stealth:IAMUser/S3ServerAccessLoggingDisabled
- Stealth:IAMUser/PasswordPolicyChange
- Stealth:IAMUser/CloudTrailLoggingDisabled
- Stealth:IAMUser/LoggingConfigurationModified
Triage & Response
- Determine which user triggered the signal. This can be found in the signal.
- Determine if the user’s credentials are compromised.
- If the user’s credentials are compromised:
- Review the AWS documentation on remediating compromised AWS credentials.
On this Page