Skip to main content

Multiple unsuccessful AWS console login attempts from an IP address for different users

ID:aws_console_login_failure_users
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC has detected 5 or more unsuccessful AWS console login attempts in 30 minutes, which may indicate unauthorized access attempts to your AWS environment. This detection is triggered by failed login and can increase in severity based on multiple failed attempts per user, per IP address, or multiple users failing from the same IP. This behavior aligns with potential brute force attacks or credential stuffing attempts targeting your AWS infrastructure.

Impact

Multiple unsuccessful login attempts may indicate malicious activity. If successful, a threat actor could gain control of your AWS resources and potentially manipulate, delete, or steal valuable data. These actions could have severe consequences.

Severity

SeverityCondition
Informational
Unsuccessful AWS Console login
Low
5 or more failed attempts to log in to the same account
Low
10 or more failed login attempts (to one or multiple accounts) from the same IP address
Medium
5 or more failed attempts to login to different accounts

Investigation and Remediation

Investigate the source IP addresses associated with the failed login attempts. Review AWS CloudTrail logs for additional context. If you confirm unauthorized access, immediately change passwords and revoke active sessions. Consider implementing additional security measures such as multi-factor authentication (MFA), set an account password policy, and limit AWS console access to trusted IP ranges.

Known False Positives

  • A legitimate user mistyping their password
  • Misconfigured applications or services trying to authenticate with incorrect credentials

Further Reading