AWS Management Console Failed Login Attempts
Detection of repeated failed login attempts to the AWS Management Console, potentially indicating brute-force or credential access attempts by threat actors aiming to compromise AWS accounts.
This analytic focuses on identifying potential credential access attacks against AWS accounts. The primary objective is to detect patterns of unsuccessful login attempts to the AWS Management Console, which could signify brute-force attacks or unauthorized access attempts. It leverages AWS CloudTrail logs, specifically monitoring "ConsoleLogin" events with "Failed authentication" messages. Successful exploitation could grant attackers unauthorized access to AWS resources, leading to data breaches, resource manipulation, or further lateral movement within the AWS environment. Defenders should prioritize monitoring for such activity to prevent potential account compromise and data exfiltration.
Attack Chain
- Initial Access Attempt: The attacker attempts to gain access to the AWS Management Console using compromised or guessed credentials.
- ConsoleLogin Event Triggered: Each failed login attempt generates an AWS CloudTrail "ConsoleLogin" event with an "errorMessage" indicating "Failed authentication".
- CloudTrail Log Capture: The CloudTrail service captures these events and stores them in a designated S3 bucket or sends them to a centralized logging solution like Splunk.
- Authentication Failure: AWS's authentication service denies access based on the invalid credentials.
- Repeated Attempts: The attacker continues to attempt logins, potentially using a list of usernames and passwords (credential stuffing).
- Detection Trigger: A detection rule or analytic identifies the repeated "ConsoleLogin" failures originating from a single source IP address or targeting a specific user.
- Potential Account Takeover: If successful, the attacker gains access to the AWS account.
- Post-Exploitation Activity: Upon gaining access, the attacker may perform actions such as creating new IAM users, launching EC2 instances, accessing S3 buckets, or modifying security configurations.
Impact
Compromised AWS accounts can lead to significant damage, including unauthorized access to sensitive data, resource manipulation, denial-of-service attacks, and lateral movement to other connected systems. The severity of the impact depends on the permissions associated with the compromised account and the attacker's objectives. A successful account takeover could result in data breaches, financial losses, and reputational damage.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect failed AWS ConsoleLogin attempts and tune for your environment.
- Investigate any alerts generated by the Sigma rule, focusing on the source IP address, targeted user, and frequency of failed login attempts.
- Implement multi-factor authentication (MFA) for all AWS accounts to mitigate the risk of credential-based attacks.
- Monitor AWS CloudTrail logs for other suspicious activities, such as unusual API calls or changes to IAM policies.
- Review and enforce strong password policies for all AWS users.
- Utilize AWS IAM Access Analyzer to identify potential access risks within your AWS environment.
Detection coverage 2
AWS Console Login Failed Authentication
mediumDetects failed authentication events associated with AWS ConsoleLogin attempts.
Multiple AWS Console Login Failures from Single Source
highDetects multiple failed AWS ConsoleLogin attempts from a single source IP address within a short time period, indicating potential brute-force activity.
Detection queries are available on the platform. Get full rules →