Monitoring critical events is essential because these events often have significant consequences that require timely awareness, response, and management. Effective critical event monitoring allows for improved preparedness, response, and recovery, making it indispensable across various domains.
The following list contains a set of event names commonly associated with identity and access management (IAM) activities in cloud environments, particularly AWS. These events often relate to actions involving authentication, user management, roles, policies, and security.
| Event Name | Description with Security Implication |
|---|---|
| AddClientIDToOpenIDConnectProvider | Adds a client ID to an OpenID Connect provider for federated authentication, which may increase the attack surface by allowing external federated identities to access AWS resources. |
| AddRoleToInstanceProfile | Associates a role with an EC2 instance profile, enabling EC2 instances to assume the role. This can lead to escalated privileges for EC2 instances and potentially grant excessive permissions if misconfigured. |
| AddUserToGroup | Adds an IAM user to an IAM group where the user inherits the group’s permissions that escalates their privileges if the group has excessive access. |
| AttachGroupPolicy | Attaches an IAM policy to a group, applying permissions to all users in that group. Excessive permissions granted by the policy unintentionally results in escalating the privileges of group members. |
| AttachRolePolicy | Attaches a policy to a role that leads to excessive permissions for the policy and eventually EC2 instances or services that should not be granted elevated access. |
| AttachUserPolicy | Attaches a policy to a user, granting them specific permissions, and escalates the user’s privileges if the policy is overly permissive or improperly configured. |
| ChangePassword | Updates the password for an IAM user, posing a potential security risk if changed by a malicious actor or unauthorized user. |
| ConsoleLogin | Enables a user to log in to the AWS Management Console and crucial to monitor for unauthorized logins, as these may indicate a security breach. |
| CreateAccessKey | Creates a new access key for a user enabling API access. Access key creation increases the risk of unauthorized access if not properly managed or rotated. |
| CreateAccountAlias | Creates an alias for an AWS account to simplify access via a URL. Although it poses low risk, it can be vulnerable to exploitation through social engineering attacks if the alias is misused. |
| CreateGroup | Creates a new IAM group, which could mistakenly provide extensive permissions to users if not configured correctly. |
| CreateInstanceProfile | Creates an IAM instance profile, which assigns a role to EC2 instances. There is a risk if the instance profile is associated with overly permissive roles, as it can grant EC2 instances excessive access. |
| CreateLoginProfile | Creates a login profile for an IAM user, allowing console access while increasing the attack surface if not properly secured. |
| CreateOpenIDConnectProvider | Creates an OpenID Connect (OIDC) provider for federated access, which can introduce significant risks if compromised, as it may allow unauthorized access to AWS resources. |
| CreatePolicy | Creates a new IAM policy and if the policy is overly permissive, it could inadvertently grant excessive permissions across AWS resources. |
| CreatePolicyVersion | Creates a new version of an existing IAM policy, which could result in less secure policy versions being used or outdated versions remaining with excessive privileges. |
| CreateRole | Creates a new IAM role. The role may be misconfigured with overly broad permissions, potentially escalating privileges or compromising security. |
| CreateSAMLProvider | Establishes a SAML provider for secure federated authentication. If compromised, a SAML provider can expose AWS resources to unauthorized access. |
| CreateUser | Creates a new IAM user and increases the attack service on granting overly permissive policies. |
| CreateVirtualMFADevice | Creates a virtual MFA device to secure user access with multi-factor authentication, enhancing security by enforcing MFA. However, it may cause issues if misconfigured or if MFA devices are lost or stolen. |
| DeactivateMFADevice | Deactivates a user’s MFA device and weakens security by removing multi-factor authentication, increasing the risk of account compromise. |
| DeleteAccessKey | Removes a user’s access key and revokes their API access; this is crucial for addressing a potential security incident. |
| DeleteAccountAlias | Deletes an account alias, simplifying access but potentially disrupting integrations or visibility if the alias is used for marketing purposes. |
| DeleteAccountPasswordPolicy | Removes the password policy for the AWS account, eliminating control over user password requirements and potentially compromising account security. |
| DeleteGroup | Deletes an IAM group, which removes the group’s permissions and may unintentionally revoke access or disrupt users relying on these group policies. |
| DeleteGroupPolicy | Deletes a policy attached to a group and revokes permissions for all users in the group, potentially affecting business processes if not properly managed. |
| DeleteInstanceProfile | Deletes an IAM instance profile and removes associated permissions from EC2 instances, which may disrupt operations or services. |
| DeleteLoginProfile | Removes a user’s login profile (password) and prevents them from accessing the console, which can hinder their ability to manage resources. |
| DeleteOpenIDConnectProvider | Deletes an OIDC provider, which is used for federated authentication that can break federated authentication if it’s still in use, reducing access for users or applications relying on it. |
| DeletePolicy | Deletes an IAM policy and revokes permissions granted by the policy, potentially disrupting users or services relying on those permissions. |
| DeleteRole | Deletes an IAM role and revokes permissions granted by the role, potentially breaking services or EC2 instances that relied on it. |
| DeleteRolePolicy | Deletes a policy attached to a role and revokes permissions for any service or user assuming the role, potentially causing operational issues. |
| DeleteSAMLProvider | Deletes a SAML provider and disables federated authentication via SAML, which could lock out users relying on it. |
| DeleteServerCertificate | Removes an SSL/TLS server certificate, potentially disrupting secure communication for services or applications dependent on it. |
| DeleteSigningCertificate | Deletes a signing certificate used for code signing or API requests that disables secure signing for code or API requests, potentially impacting security or causing service disruptions. |
| DeleteSSHPublicKey | Deletes an SSH public key for a user and revokes SSH access for the user, potentially locking out legitimate access to EC2 instances. |
| DeleteUser | Deletes an IAM user and permanently revokes all access associated with that user, which may disrupt legitimate access if not carefully planned. |
| DeleteUserPolicy | Deletes a policy attached to a user and revokes specific permissions, potentially locking the user out of required resources or tasks. |
| DeleteVirtualMFADevice | Removes a virtual MFA device, thereby disabling multi-factor authentication, which reduces account security and increases the risk of unauthorized access. |
| DetachGroupPolicy | Disconnects a policy from a group, removing user permissions and possibly disrupting access to resources. |
| DetachRolePolicy | Detaches a policy from a role, revoking permissions for any services or EC2 instances assuming that role, which may affect operations. |
| DetachUserPolicy | Detaches a policy from a user and removes specific permissions, potentially impacting user access to critical resources. |
| EnableMFADevice | Enables an MFA device for a user and enhances security by requiring multi-factor authentication, reducing the risk of unauthorized access. |
| PutGroupPolicy | Creates or updates a group policy, which can grant excessive permissions to users in the group, potentially escalating privileges if misconfigured. |
| PutRolePolicy | Creates or updates a role policy. Misconfigured policies may grant excessive permissions, increasing the risk of privilege escalation. |
| PutUserPolicy | Creates or updates a user policy, which could grant excessive permissions if misconfigured, leading to potential security risks. |
| RemoveClientIDFromOpenIDConnectProvider | Removes a client ID from an OpenID Connect provider and revokes federated access, which may break legitimate access for users or services relying on the provider. |
| RemoveRoleFromInstanceProfile | Removes a role from an EC2 instance profile and revokes permissions for EC2 instances, potentially disrupting operations. |
| RemoveUserFromGroup | Removes a user from an IAM group, revoking their permissions, which may inadvertently lock them out of necessary resources. |
| ResyncMFADevice | Resynchronizes a user’s MFA device with AWS to ensure proper synchronization, preventing lockouts and enhancing security. |
| SetDefaultPolicyVersion | Sets the default version of a policy and may enable a less secure version, which could unintentionally reduce access controls or increase risk. |
| UpdateAccessKey | Updates the access key for a user, which is important for rotating keys after a compromise or to enhance security. Note that this may disrupt services using the key. |
| UpdateAccountPasswordPolicy | Revises the account password policy and modifies the strength of password security, which may affect overall account security. |
| UpdateAssumeRolePolicy | Alters the assume role policy for a role, modifying who can assume it. This change could lead to privilege escalation if not adequately restricted. |
| UpdateGroup | Updates the settings or policies of an IAM group and grants additional permissions to its members, which may inadvertently increase the risk of privilege escalation. |
| UpdateLoginProfile | Updates a user’s login profile, primarily the password and might affect user access, potentially leading to lockouts or reducing unauthorized access. |
| UpdateOpenIDConnectProviderThumbprint | Updates the thumbprint for an OIDC provider and modifies the identity provider configurations, which may impact federated access and disrupt integrations. |
| UpdateSAMLProvider | Modifies the configuration of a SAML provider and updates federated authentication settings, which may disrupt access or reduce security. |
| UpdateServerCertificate | Updates the SSL/TLS certificate used for secure communication, impacting encrypted communication channels that could be exploited if misconfigured. |
| UpdateSigningCertificate | Updates the signing certificate for code or API request signatures, enhancing security for signed requests, however, may make them susceptible to spoofing if not managed correctly. |
| UpdateSSHPublicKey | Updates the SSH public key for user access to EC2 instances and modifies the authorized keys for SSH, which may disrupt access to EC2 instances. |
| UpdateUser | Modifies user configurations, including permissions and settings that could change user privileges and affect access to resources. |
| UploadServerCertificate | Uploads a new SSH public key and changes the SSH access for a user, which could result in locking them out of necessary resources or creating security vulnerabilities. |
| UploadSigningCertificate | Uploads a new signing certificate and changes the security of signed code or API requests, which may leave them open to tampering. |
| UploadSSHPublicKey | Uploads a new SSH public key and changes the SSH access for a user, which could result in locking them out of necessary resources or creating security vulnerabilities. |
Related Topics
