Skip to content
Threat Feed
medium advisory

AWS Console Login Failed During MFA Challenge

Detection of failed AWS console login attempts despite successful MFA usage, indicating potential account compromise attempts.

This threat brief focuses on identifying failed authentication attempts to the AWS Management Console even when Multi-Factor Authentication (MFA) has been successfully used. The activity is detected by analyzing AWS CloudTrail logs and specifically checking the additionalEventData field to see if MFA was used during a failed login. This behavior can signal an attacker attempting to brute-force or use compromised credentials to access an AWS account. Although MFA prevents initial access, repeated failed attempts warrant investigation, as they could precede successful breaches if MFA is misconfigured or bypassed through social engineering or other vulnerabilities. The detection is based on the Splunk ES content pack, version 10.

Attack Chain

  1. An attacker obtains compromised AWS credentials (username/password) through phishing, data breaches, or other means.
  2. The attacker attempts to log in to the AWS Management Console using the stolen credentials.
  3. AWS prompts the attacker for their MFA token.
  4. The attacker successfully provides a valid MFA token, indicating they have access to the MFA device, or have bypassed the MFA requirement somehow.
  5. Despite successful MFA authentication, the login attempt fails. This could be due to a variety of reasons, including incorrect username/password combination even after MFA, account lockouts, or other access restrictions.
  6. The system logs the failed login attempt with the errorMessage="Failed authentication" and additionalEventData.MFAUsed = "Yes" in AWS CloudTrail.
  7. The attacker may retry the login attempt multiple times, triggering the detection rule.
  8. If successful, the attacker gains unauthorized access to the AWS environment and can perform malicious actions like data exfiltration, resource deployment, or service disruption.

Impact

A successful AWS account takeover can lead to severe consequences, including unauthorized access to sensitive data, modification or deletion of critical resources, deployment of malicious infrastructure, and significant financial losses. While MFA provides an extra layer of security, repeated failed login attempts even with MFA suggest that an attacker has potentially compromised credentials and may be attempting to circumvent security controls. The number of victims would depend on the scope of the compromised AWS account, and targeted sectors could vary widely based on the account's purpose.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect failed AWS console logins during MFA challenges by monitoring AWS CloudTrail ConsoleLogin logs.
  • Investigate any alerts generated by the Sigma rule and validate the legitimacy of the failed login attempts by reviewing the user, src, and user_agent fields in the logs.
  • Consider implementing account lockout policies after a certain number of failed login attempts to mitigate brute-force attacks.
  • Review IAM policies and MFA configurations to ensure they adhere to security best practices.
  • Educate users about phishing and other social engineering techniques to prevent credential compromise.
  • Enable and monitor AWS CloudTrail logs, ensuring proper configuration for capturing ConsoleLogin events.

Detection coverage 2

AWS Console Login Failed After MFA

medium

Detects failed AWS console logins despite successful MFA usage, indicating potential account compromise attempts.

sigma tactics: credential_access techniques: T1586.003, T1621 sources: webserver, aws

AWS Console Login Failed - No MFA Used

low

Detects failed AWS console logins where MFA was not used.

sigma tactics: credential_access techniques: T1586.003, T1621 sources: webserver, aws

Detection queries are available on the platform. Get full rules →