IAM use cases¶
AWS Identity and Access Management (IAM) log data can be used to monitor user access to AWS services and resources. Using IAM, you can create and manage AWS users and groups, and manage permissions to allow and deny their access to AWS resources.
Below are some use cases for Wazuh rules built used for IAM events.
Create user account¶
When we create a new user account in IAM, an AWS event is generated. As previously mentioned, the log message is collected by the Wazuh agent, and forwarded to the manager for analysis. It is expected that these type of messages match rule 80861
, resulting in an alert being generated, as can be seen in Kibana.
Create user account without permissions¶
If an unauthorized user attempts to create new users, then the log message generated will match rule 80862
and Kibana will show the alert as follows:
User login failed¶
When a user tries to log in with an invalid password, a new event will be generated matching rule 80802
, generating an alert that will be shown in Kibana as follows:
Possible break-in attempt¶
When more than 4 authentication failures occur in a 360 second time window, rule 80803
triggers the following alert:
Login success¶
After a successful login, the rule 80801
will match the log message generated by this event, and a new alert will be shown in Kibana:
And here are the Kibana dashboards for IAM events:
Pie Chart |
Stacked Groups |
---|---|
![]() |
![]() |