AWS Identity and Access Management (IAM)
Version: AWS LogForwarder v1.0.10 or later.
AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS resources. It enables you to create and control services for user authentication or limit access to a certain set of people who can use AWS resources. With IAM policies, users can manage permissions to the workforce and systems ensuring least-privilege permissions.
Netsurion Open XDR monitors events from AWS IAM by parsing the AWS CloudTrail logs and triggers from Amazon EventBridge. Dashboards and reports in Netsurion Open XDR, will track the overall actions that are performed related to the Amazon IAM service to keep you informed about its activities. It will trigger alerts whenever an action that is critical to the service is carried out.
For a new instance, integrate the AWS instance to Netsurion Open XDR using the Netsurion integrator lambda function, which will in turn deliver logs to Netsurion Open XDR from AWS. For an already-integrated AWS instance, make sure to update to AWS LogForwarder v1.0.1 or later.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | AWS IAM – Add policy and roles | This alert is triggered when a new policy created is detected in the Identity and Access Management (IAM) service. |
| Security | AWS IAM – Create new user and group | This alert is triggered when an attempt is made to create a new user or new group in the Identity and Access Management (IAM) console. |
| Security | AWS IAM – Delete group and user | This alert is triggered when an attempt is made to delete or remove a user or group from the IAM console. |
| Security | AWS IAM – Delete policy and role | This alert is triggered when the AWS service policies or role has been deleted by the user from the Identity and Access Management (IAM) console. |
| Security | AWS IAM – Create and delete access key | This alert is triggered when the credentials have been deleted or newly created by the user in the Identity and Access Management (IAM) console. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | AWS IAM – Activity Overview | This report contains relevant information related to all activities in AWS IAM. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.3 or later, and AWS LogForwarder v1.0.10 or later.
Download Integration Guide and How-to Guide for configuration instructions and more information.