Skip to main content

Suspicious AWS API calls indicating retrieval of AWS sign-in token

ID:aws_get_signin_token_suspicious
Data type:AWS CloudTrail
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0005:T1550.001

Description

AlphaSOC detected the unexpected retrieval of an AWS sign-in token via the GetSigninToken action. Malicious actors can exploit this AWS console API to generate interim federated access credentials. This technique allows attackers to mask the identity of the initially compromised access key while enabling them to transition from command-line interface operations to browser-based console sessions. The process bypasses multi-factor authentication requirements by utilizing the newly issued access credentials.

Impact

This activity enables attackers to maintain persistent access to AWS resources while evading detection and bypassing MFA controls. Malicious actors can seamlessly switch between CLI and console access, making it harder to track their activities and potentially leading to unauthorized access, data breaches, and compromise of critical cloud infrastructure.

Severity

SeverityCondition
Informational
Unexpected action, ASN, user agent or region
Low
Two unexpected properties at the same time
Medium
Three unexpected properties at the same time

Investigation and Remediation

Review AWS CloudTrail logs to investigate the context of the GetSigninToken action. Verify whether the action was authorized and performed by a legitimate user. If unauthorized, revoke active sessions (if possible) or update AWS IAM policies to limit privileges, and prevent new sessions from being created. Additionally, rotate any potentially compromised credentials and assess the extent of potential damage.