Unexpected AWS console login
ID:aws_console_login_anomaly
Data type:AWS CloudTrail
Severity:
Informational
- Medium
MITRE ATT&CK:TA0004:T1078
Description
An unexpected AWS Console login may indicate unauthorized activity that should be investigated. Such access can expose the environment to data exploitation or malicious actions. Logins from previously unseen countries, new user agents, and without multi-factor authentication (MFA) signal a higher likelihood of account compromise.
Impact
Compromised credentials grant an unknown user the ability to manipulate, delete, or steal valuable data. These actions could have serious consequences.
Severity
Severity | Condition |
---|---|
Informational | Logins from distant locations within a short period of time |
Low | Login from a new country |
Low | Login from a new user agent |
Medium | More than one of the conditions above |
Medium | Login without MFA |