Skip to content
Threat Feed
high advisory

AWS Console Login Password Spraying

A single source IP failing to authenticate into the AWS Console with multiple valid users, potentially indicating a password spraying attack against cloud resources.

This analytic identifies potential password spraying attacks against the AWS Console. It uses CloudTrail logs to detect a single source IP address attempting to authenticate with multiple user accounts but failing. The detection leverages statistical analysis, specifically calculating the standard deviation of failed login attempts per source IP and applying a 3-sigma rule to identify outliers. This behavior is indicative of attackers trying to gain initial access to the AWS environment by systematically attempting common passwords across a range of usernames. The technique is often employed to bypass account lockout policies. This activity, if successful, can lead to unauthorized resource access, data breaches, or broader exploitation within the AWS environment. The original Splunk ES-CU analytic was published in April 2026.

Attack Chain

  1. An attacker identifies a target AWS account.
  2. The attacker obtains a list of valid usernames for the target AWS account, possibly through OSINT or previous breaches.
  3. The attacker initiates a password spraying attack against the AWS Console, attempting to log in with each username from a single source IP address.
  4. Each login attempt generates a CloudTrail ConsoleLogin event with a "failure" action.
  5. The AWS CloudTrail logs are ingested and analyzed by a SIEM or security analytics platform.
  6. The analytic calculates the number of distinct failed login attempts from each source IP within a specific time window (e.g., 10 minutes).
  7. The analytic identifies source IPs with a significantly higher than average number of failed login attempts compared to the historical baseline.
  8. If the attack is successful, the attacker gains access to the AWS account and can perform malicious activities such as data exfiltration, resource modification, or privilege escalation.

Impact

Successful password spraying attacks against AWS accounts can lead to significant consequences. Attackers could gain unauthorized access to sensitive data stored in AWS services like S3 buckets or databases. Compromised accounts can also be used to launch further attacks against other systems and services within the AWS environment or connected to it. The potential impact includes data breaches, financial loss, reputational damage, and service disruption. The number of victims and the scale of damage vary depending on the attacker's objectives and the security measures in place.

Recommendation

  • Deploy the Sigma rule AWS Unusual Number of Failed Console Logins to detect potential password spraying attempts based on CloudTrail logs.
  • Investigate alerts generated by the Sigma rule by examining the source IP address (src) and the list of attempted usernames (tried_accounts).
  • Implement multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of password-based attacks.
  • Monitor AWS CloudTrail logs for unusual login patterns and failed authentication attempts.
  • Review and enforce strong password policies for all AWS users.

Detection coverage 2

AWS Unusual Number of Failed Console Logins

high

Detects an unusual number of failed console logins from a single source IP address, which may indicate password spraying.

sigma tactics: initial_access techniques: T1110.003 sources: cloudtrail, aws

AWS Failed Console Login with Non-Existent User

medium

Detects failed console logins with usernames that do not exist.

sigma tactics: initial_access techniques: T1110.003 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →