Skip to main content

Successful suspicious AWS console login

ID:aws_console_login_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0004:T1078

Description

An unexpected AWS Console login may indicate unauthorized activity that should be investigated. Such access can expose the environment to data exploitation or malicious actions. Logins from previously unseen countries, new user agents, and without multi-factor authentication (MFA) signal a higher likelihood of account compromise.

Impact

Compromised credentials grant an unknown user the ability to manipulate, delete, or steal valuable data. These actions could have serious consequences.

Severity

SeverityCondition
Informational
Logins from distant locations within a short period of time
Low
Login from a new country
Low
Login from a new user agent
Medium
More than one of the conditions above
Medium
Login without MFA

Investigation and Remediation

Use AWS IAM Access Analyzer to review permissions and IAM policies or generate credential report, and reset the account credentials if unauthorized access is confirmed. The recommended practice is to give users the least amount of permissions needed, and enable MFA wherever possible to minimize the potential impact of a security breach. Follow the principle of least privilege when granting permissions. Regularly review and remove unnecessary permissions.

Known False Positives

  • A user login from a new browser
  • A user login from a new location (e.g., over a VPN)

Further Reading