AWS IAM Identity Center device code authentication
Description
AlphaSOC detected AWS IAM Identity Center device code authentication activity. Device code authentication enables users to sign in to applications using a temporary code displayed on one device while completing authentication on another. Adversaries may exploit this mechanism through brute-force attempts, automated abuse, or phishing attacks targeting AWS IAM Identity Center authentication flows.
Impact
Successful exploitation provides threat actors with valid AWS credentials, enabling unauthorized access to AWS resources. Compromised credentials can allow adversaries to access sensitive data, execute commands, and move laterally within AWS environments. This access persists until credentials expire or administrators revoke them.
Severity
| Severity | Condition |
|---|---|
Low | AWS IAM Identity Center device code authentication |
Investigation and Remediation
Review AWS CloudTrail logs to identify the source IP address, user agent, and frequency of authentication attempts. Check for successful authentications from unexpected locations or devices. If compromise is confirmed, revoke affected credentials, force password resets, and review all actions taken by the compromised account. Enable additional security controls like IP address allowlists and conditional access policies requiring multi-factor authentication.