Successful AWS console logins from different locations in a short period
Description
An unexpected AWS Console login may indicate unauthorized activity that should be investigated. Such access can expose the environment to data exploitation or malicious actions. Logins from previously unseen countries, new user agents, and without multi-factor authentication (MFA) signal a higher likelihood of account compromise.
Impact
Compromised credentials grant an unknown user the ability to manipulate, delete, or steal valuable data. These actions could have serious consequences.
Severity
Severity | Condition |
---|---|
Informational | Logins from distant locations within a short period of time |
Low | Login from a new country |
Low | Login from a new user agent |
Medium | More than one of the conditions above |
Medium | Login without MFA |
Investigation and Remediation
Use AWS IAM Access Analyzer to review permissions and IAM policies or generate credential report, and reset the account credentials if unauthorized access is confirmed. The recommended practice is to give users the least amount of permissions needed, and enable MFA wherever possible to minimize the potential impact of a security breach. Follow the principle of least privilege when granting permissions. Regularly review and remove unnecessary permissions.
Known False Positives
- A user login from a new browser
- A user login from a new location (e.g., over a VPN)