AWS Identity and Access Management (IAM) log data can be used to monitor user access to AWS services and resources. Using IAM, you can create and manage AWS users and groups, and manage permissions to allow and deny their access to AWS resources.
Below are some use cases for Wazuh alerts built used for IAM events.
When we create a new user account in IAM, an AWS event is generated. As previously mentioned, the log message is collected by the Wazuh agent, and forwarded to the manager for analysis. When an user account is created, the following alert will appear on Kibana. You can see the username of the created user and who created it:
If an unauthorized user attempts to create new users, the following alert will be shown in kibana. It will show you which user has tried to create an user account and the username it tried to create:
When a user tries to log in with an invalid password, the following alert will be shown in Kibana. There will be shown data such as the user who tried to login or the browser it was using:
When more than 4 authentication failures occur in a 360 second time window, Wazuh raises this alert:
After a successful login, the following event will be shown in Kibana. It shows the user who logged in, the browser it used and many other useful information:
And here are the Kibana dashboards for IAM events: