Several unsuccessful AWS console login attempts for a user
Description
AlphaSOC detected multiple unsuccessful AWS console login attempts within a short timeframe, which may indicate unauthorized access attempts to your AWS environment. This detection is triggered by failed login and can increase in severity based on multiple failed attempts per user, per IP address, or multiple users failing from the same IP. This behavior aligns with potential brute force attacks or credential stuffing attempts targeting your AWS infrastructure.
Impact
Multiple unsuccessful login attempts may indicate malicious activity. If successful, a threat actor could gain control of your AWS resources and potentially manipulate, delete, or steal valuable data. These actions could have severe consequences.
Severity
| Severity | Condition |
|---|---|
Informational | Unsuccessful AWS console login attempt |
Low | Several unsuccessful AWS console login attempts for a user |
Low | Several unsuccessful AWS console login attempts from the same IP address |
Medium | Several unsuccessful AWS console login attempts from the same IP address for different users |
Investigation and Remediation
Investigate the source IP addresses associated with the failed login attempts. Review AWS CloudTrail logs for additional context. If you confirm unauthorized access, immediately change passwords and revoke active sessions. Consider implementing additional security measures such as multi-factor authentication (MFA), set an account password policy, and limit AWS console access to trusted IP ranges.
Known False Positives
- A legitimate user mistyping their password
- Misconfigured applications or services trying to authenticate with incorrect credentials