New AWS Service Accessed in Region

This alert occurs when Lacework detects an identity accesses an AWS service for the first time in a specific region and account. Conditions for triggering the alert include:

• No previous detection of this identity accessing the service in the same region and account by Lacework.
• The service may be used by other identities, and this identity may also use it in other regions or accounts.

Why this alert is important

Lacework Polygraph establishes behavioral baselines for identities in your cloud deployment. This alert indicates a deviation from the baseline, suggesting unusual behavior by an identity. This may indicate compromised credentials or policy violations. Attackers may use unused cloud regions to hide their activity, making this alert relevant for tracking such attempts.

Why this might be just fine

In software projects, it's common to test new services or APIs. This includes exploring newly launched AWS services, adding functionality, or utilizing new regions for specific customers or geographies.

Investigation

Use the steps below to investigate this alert:

1. Determine if this service is typically used in your organization:
   • Review the filtered CloudTrail dossier for the specific new service. If minimal or no activity is recorded over an extended period (such as one month or more), further investigation is necessary as it indicates potential non-usage of the service.
2. Determine if this region is typically used:
   • Review the filtered CloudTrail dossier for the region in question. If minimal or no activity is recorded over an extended period (such as one month or more), it suggests that the region is not in use and requires further investigation.
3. Identify the API calls made to the service, focusing on sensitive ones involving credentials, persistence, or revealing information. Below are some potentially sensitive API calls:

   iam:CreateAccessKey iam:CreateLoginProfile iam:CreateServiceSpecificCredential iam:ResetServiceSpecificCredential iam:UpdateAccessKey rds-db:connect redshift:GetClusterCredentials

   sso:GetRoleCredentials sts:AssumeRole sts:AssumeRoleWithSaml sts:AssumeRoleWithWebIdentity sts:GetFederationToken sts:GetSessionToken

4. Validate the login's legitimacy by correlating logs with your identity provider's logs, using the principal ID from the Who section. Check if the login is from a corporate asset.

Resolution

The following are resolutions that you can implement:

• Delete or rotate AWS access keys associated with the user.
• Delete any console login profiles associated with the user.
• Delete any unrecognized or unauthorized resources that were created.
• Perform an analysis of any resources or data that was accessed.
• Enable MFA.