AWS Account Accessed From a New Geolocation
This alert occurs when an AWS IAM user or role accesses AWS services from a new geolocation. This is the first time this AWS account has been accessed from this location.
This alert indicates the presence of one of the following events, where the API request was successful:
| Event Type | Description |
|---|---|
| AwsApiCall | An API was called. |
| AwsApiCallMfa | An API was called with MFA. |
| AwsServiceEvent | The service generated an event related to your trail. For example, this can occur when another account makes a call with a resource that you own. |
| AwsConsoleAction | An action was taken in the console that was not an API call. |
| AwsConsoleSignIn | A user in your account (root, IAM, federated, SAML, or SwitchRole) signed in to the AWS Management Console. |
If multi-factor authentication (MFA) was used to authenticate, the term "Mfa" will be appended to the aforementioned possible values (for example, AwsApiCallMfa). These values are obtained directly from the CloudTrail event records.
Why this alert is important
If a user typically operates from two locations, such as the office and their home, using a new geolocation to access AWS may indicate potential unauthorized access by a malicious actor who has obtained the user's credentials.
Sophisticated or targeted attackers can employ VPNs or other hosting providers to acquire an IP address in proximity to their target, allowing them to bypass certain basic security checks. Therefore, it's crucial to not only consider the country but also the specific city or town associated with the location to enhance security measures.
Why this might be just fine
A user working remotely from a new location, whether due to vacation or VPN usage, may have their source IP address modified, associating it with a different geolocation.
Investigation
Use the steps below to investigate this alert:
- Review the Who section in the Alert Details to identify the user in question:
- Determine if this is a user or an assumed role by reviewing the AWS User column. The portion before the slash (
/) indicates the identity type. For example:- An IAM user:
IAMUser/000000000001:username@example.com - An assumed role:
AssumedRole/000000000001:AWSServiceRoleForAmazonSSM
- An IAM user:
- Obtain the principal ID for each identity involved.
- Determine if this is a user or an assumed role by reviewing the AWS User column. The portion before the slash (
- Determine which actions were performed by the user during the alert time frame by clicking the IAM identity link in the Alert Description. You may need to expand the time frame to access additional relevant activity.
Resolution
The following are resolutions that you can implement:
- Delete or rotate AWS access keys associated with the user.
- Delete any console login profiles associated with the user.
- Delete any unrecognized or unauthorized resources that were created.
- Perform an analysis of any resources or data that was accessed.
- Enable MFA.