| Change to IAM Role Policy Configuration | This detector will create an issue when one or more policies that apply to an IAM role are added or removed. It will also create an is... | AWS | | 3 | No | |
| Change to IAM Group Membership | Identify when IAM users are added or removed from groups.... | AWS | | 3 | No | |
| Change to Policies for IAM Group | This detector will create an issue when there is a change to the inline policy, or to the lis... | AWS | | 3 | No | |
| Change to IAM User Policy Configuration | This detector will create an issue when one or more policies that apply to an IAM user are added or removed. One or more of the... | AWS | | 3 | No | |
| CloudTrail Disabled Or Modified | AWS CloudTrail is a key service for logging, monitoring, and auditing events in AWS accounts. CloudTrail stores 90 days of events in its internal event history, b... | AWS | | 4 | No | |
| Console Login | This detector monitors CloudTrail events for those of eventType: AwsConsoleSignIn to see when someone logs into the AWS management console. The detector identifies logins by IAM users within the ... | AWS | | 3 | No | Disable IAM User |
| Multiple Failed Login Attempts For IAM User | This detector creates an issue when there are multiple failed attempts to log in to the AWS Management Console for your account as an IAM user within a configurable period of time. This includes login... | AWS | | 4 | No | Disable IAM User |
| Multiple Failed Login Attempts For IAM User Followed By Success | This detector creates an issue when there are multiple failed attempts to log in to the AWS Console, followed by a successful login for an IAM user within a configurable period of time. This dete... | AWS | | 4 | No | |
| AWS Console GetSigninToken Event | This detector identifies suspicious "GetSigninToken" events in the AWS Console. It alerts when an attacker potentially uses tools like "aws_consoler" to create temporary federated credentials, bypassi... | AWS | Expected User Agents | 3 | No | |
| IAM Group Created | A new IAM group was created. IAM groups can be assigned [roles]... | AWS | | 4 | No | |
| Root User Login | This detector identifies whenever someone logs in to the AWS console as the root user. Login events are identified by monitoring [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userg... | AWS | | 4 | No | |
| Root User Login Without MFA | This detector identifies whenever someone logs in to the AWS console as the root user without Multifactor Authentication (MFA). Login events are identified by monitoring [AWS CloudTrail](https://docs.... | AWS | | 5 | No | |
| S3 Bucket Permissions Modified | This detector monitors CloudTrail for events that indicate that the permissions for an S3 bucket have been modi... | AWS | | 3 | No | Disable S3 Bucket Public Access |
| Security Group Ingress or Egress Rules Modified | This detector reports when the ingress or egress rules for a Security Group change. A unique issue will be... | AWS | | 4 | No | |
| AWS Static Access Key Used | This detector monitors CloudTrail events and identifies when [access keys](https://docs.aws.amazon.com/general/... | AWS | | 3 | No | Disable IAM User |
| UnauthorizedAccess Followed By Create User | This detector reports an issue when an IAM user ***that has an [UnauthorizedAccess](https://docs.aws.amazon.com/guardduty/latest/u... | AWS | | 4 | No | Disable IAM User |
| Unauthorized Region | This detects if an unauthorized region is used.... | AWS | Allowed Regions | 5 | Yes | |
| Unauthorized Service | This detects if an unauthorized service is used.... | AWS | Allowed Services | 5 | Yes | |
| Unauthorized User in Use | A user not in the allowed list of users was detected.... | AWS | Authorized Users | 2 | Yes | Disable IAM User |
| Unexpected User Activity | This detector will detect api events to the cloud control plane from unexpected users. For immutable infrastructure, api write events should be limited to CI/CD pipeline users or strictly limited to a... | AWS | Exempt Users, Exempt Role Users | 4 | Yes | Disable IAM User |
| IAM User Created | This detector identifies when new IAM users are created. IAM users can be given very broad access to services and resources in an AWS account, depending on the groups, roles, and policies that apply t... | AWS | | 4 | No | Disable IAM User |
| New IAM User Created An EBS Snapshot | This detector reports an issue when a new IAM user creates an [EBS snapshot](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSn... | AWS | | 4 | No | Disable IAM User |