Rules
Detect when a user stops an AWS Configuration Recorder
User logs in to the AWS console from an external location.
Detects when a user creates a new AWS IAM account.
Detects when a user adds an ingress rule to an AWS security group that allows inbound access from a Class B or larger IP range (/16 or less).
Detects when a user adds an ingress rule to an AWS security group that allows internet inbound access.