Multiple unsuccessful AWS console login attempts from an IP address for different users
Description
AlphaSOC has detected 5 or more unsuccessful AWS console login attempts in 30 minutes, which may indicate unauthorized access attempts to your AWS environment. This detection is triggered by failed login and can increase in severity based on multiple failed attempts per user, per IP address, or multiple users failing from the same IP. This behavior aligns with potential brute force attacks or credential stuffing attempts targeting your AWS infrastructure.
Impact
Multiple unsuccessful login attempts may indicate malicious activity. If successful, a threat actor could gain control of your AWS resources and potentially manipulate, delete, or steal valuable data. These actions could have severe consequences.
Severity
Severity | Condition |
---|---|
Informational | Unsuccessful AWS Console login |
Low | 5 or more failed attempts to log in to the same account |
Low | 10 or more failed login attempts (to one or multiple accounts) from the same IP address |
Medium | 5 or more failed attempts to login to different accounts |
Investigation and Remediation
Investigate the source IP addresses associated with the failed login attempts. Review AWS CloudTrail logs for additional context. If you confirm unauthorized access, immediately change passwords and revoke active sessions. Consider implementing additional security measures such as multi-factor authentication (MFA), set an account password policy, and limit AWS console access to trusted IP ranges.
Known False Positives
- A legitimate user mistyping their password
- Misconfigured applications or services trying to authenticate with incorrect credentials