AWS Console Login by User from New Country
This detection identifies AWS console logins by a user originating from a country not previously associated with that user, potentially indicating account compromise.
This detection identifies instances of AWS console logins where a user authenticates from a country that is not within their historical login locations. The goal is to detect potential account compromise scenarios where an attacker gains access to a legitimate user's AWS credentials and logs in from a geographically anomalous location. While not all such logins are malicious, they warrant investigation to confirm the user's activity and ensure no unauthorized access is occurring. This rule leverages the AWS CloudTrail logs to monitor console login events and compare the source country with a baseline of previously observed countries for each user.
Attack Chain
- Attacker gains access to AWS credentials through phishing, credential stuffing, or malware.
- Attacker uses the stolen credentials to attempt to log in to the AWS Management Console.
- The login attempt generates a CloudTrail event.
- The CloudTrail event records the source IP address of the login attempt.
- Geolocation services determine the country of origin for the source IP address.
- The detected country is compared against a historical baseline of countries associated with the user.
- If the country is new for the user, an alert is triggered.
Impact
Successful exploitation can lead to unauthorized access to sensitive AWS resources. This may result in data breaches, service disruption, or financial loss. The impact depends on the permissions associated with the compromised user account. Early detection of anomalous login activity can prevent significant damage by allowing security teams to quickly investigate and remediate the incident, such as disabling the compromised account or enforcing multi-factor authentication.
Detection coverage 2
AWS Console Login From New Country
mediumDetects AWS console logins from a country not previously seen for a user.
AWS Console Login without MFA
highDetects AWS Console logins that did not use MFA.
Detection queries are available on the platform. Get full rules →