< Back to rules search
AWS IAM User Suspicious Login
Set up the guardduty integration.
Detect when an AWS IAM user login is suspicious.
This rule lets you monitor these GuardDuty integration findings:
Triage & Response
- Determine which user triggered the signal. This can be found in the signal.
- Determine if the user’s credentials are compromised.
- If the user’s credentials are compromised:
- Review the AWS documentation on remediating compromised AWS credentials.