Account - Login From Invalid IP Address¶
The following example policy will automatically create a CloudWatch Event Rule triggered Lambda function in your account and region which will be triggered anytime a user logs in from an invalid IP address. If the source IP address of the event is outside of the provided ranges in the policy then notify the admins security team for further investigation. Using the cloudtrail mode provides near real-time auto-remediation (typically within 1-2 mins) of the event occuring. Having such a quick auto-remediation action greatly reduces an attack window! By notifying the cloud admins or security team they can validate the login and revoke the login session if it’s not valid followed by changing the password for or disabling the comprimised user etc.
In the below example the filter being applied is regex and reads as follows: -Notify if the source IP address of the event is not from one of the valid IP CIDRs - 158.103.0.0/16 - 142.179.0.0/16 - 187.39.0.0/16 - 12.0.0.0/8 You can generate the Regex for IP ranges on a site like: http://www.analyticsmarket.com/freetools/ipregex
policies:
- name: invalid-ip-address-login-detected
resource: account
description: |
Notifies on invalid external IP console logins
mode:
type: cloudtrail
events:
- ConsoleLogin
filters:
- not:
- type: event
key: 'detail.sourceIPAddress'
value: |
'^((158\.103\.|142\.179\.|187\.39\.)([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])
\.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))|(12\.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])
\.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])\.([01]?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]))$'
op: regex
actions:
- type: notify
template: default.html
priority_header: 1
subject: "Login From Invalid IP Detected - [custodian {{ account }} - {{ region }}]"
violation_desc: "A User Has Logged In Externally From A Invalid IP Address Outside The Company's Range:"
action_desc: |
"Please investigate and revoke the invalid session along
with any other restrictive actions if appropriate"
to:
- CloudAdmins@Company.com
- SecurityTeam@Company.com
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/12345678900/cloud-custodian-mailer
region: us-east-1
Note that the notify
action requires the cloud custodian mailer tool to be installed.