AWS Console Login by New User
Detects first-time AWS console login, which can indicate compromised credentials or malicious account creation.
This detection identifies the first-time login to the AWS console by a specific user. This is a critical monitoring point as it could indicate several security concerns. These include unauthorized access using compromised credentials, a malicious actor establishing a foothold in the AWS environment, or an insider threat creating new accounts for nefarious purposes. The detection focuses on identifying the initial console login event. It is crucial to investigate these events promptly to determine the legitimacy of the user activity. Early detection can prevent further malicious actions such as data exfiltration, resource exploitation, or privilege escalation. This detection is designed to work across all AWS environments and requires proper configuration of AWS CloudTrail.
Attack Chain
- An attacker gains unauthorized access to an AWS account, possibly through credential theft or brute-forcing.
- The attacker logs into the AWS Management Console for the first time using the compromised or newly created account.
- The attacker explores the AWS environment to identify potential targets, resources, and vulnerabilities.
- The attacker attempts to escalate privileges by exploiting misconfigured IAM roles or policies.
- The attacker launches EC2 instances for cryptomining or other malicious purposes.
- The attacker accesses and exfiltrates sensitive data from S3 buckets or databases.
- The attacker covers their tracks by deleting CloudTrail logs or modifying security configurations.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, financial losses due to resource consumption (e.g., cryptomining), and reputational damage. A compromised AWS environment can be used to launch attacks against other targets, further amplifying the impact. The number of affected users and the extent of the damage depend on the level of access the attacker gains and the sensitivity of the data compromised. The financial impact can range from a few thousand dollars to millions, depending on the scale of the breach and the cost of remediation.
Detection coverage 2
AWS Console Login By New User
mediumDetects first time AWS console login event for a user.
AWS Console Login Without MFA
highDetects AWS console logins without MFA enabled.
Detection queries are available on the platform. Get full rules →