< Back to rules search
AWS IAM user requests from malicious IP
Detect when an AWS IAM user makes API requests from a malicious IP.
This rule lets you monitor these GuardDuty integration findings:
Triage & Response
- Determine which user triggered the signal. This can be found in the signal.
- Determine if the user’s credentials are compromised.
- If the user’s credentials are compromised:
- Review the AWS documentation on remediating compromised AWS credentials.