AWS Console Login by User from New Region
An AWS account may be compromised if a user logs into the AWS console from a geographic region they have never accessed before, potentially indicating unauthorized access or account takeover.
This alert detects when a user logs into the AWS console from a new geographic region. While not inherently malicious, it can signal account compromise, insider threat activity, or a user legitimately accessing resources from an unexpected location. By monitoring login locations and comparing them against a baseline of previously observed activity, analysts can identify anomalous access patterns that warrant further investigation. Defenders should investigate any alerts generated by this rule, as it could signify an attacker gaining unauthorized access to an AWS environment.
Attack Chain
- Initial Access: An attacker obtains valid AWS credentials through methods like credential stuffing, phishing, or purchasing them on the dark web.
- Console Login: The attacker uses the stolen credentials to log into the AWS Management Console.
- Region Selection: The attacker selects a geographic region to operate from. This might be a region different from the user's typical access pattern or the organization's usual deployment regions.
- Enumeration: The attacker starts enumerating AWS resources (e.g., EC2 instances, S3 buckets, IAM roles) to understand the environment and identify potential targets.
- Privilege Escalation (if needed): The attacker attempts to escalate privileges by exploiting misconfigured IAM roles or vulnerabilities in the AWS environment.
- Lateral Movement: The attacker moves laterally within the AWS environment, accessing different services and resources.
- Data Exfiltration or Resource Manipulation: The attacker exfiltrates sensitive data from S3 buckets or databases, or manipulates EC2 instances or other resources to cause damage or disruption.
Impact
A successful AWS account compromise can lead to significant data breaches, financial losses, and reputational damage. Organizations in all sectors are potential targets, especially those with sensitive data stored in AWS. If an attacker gains access to an AWS account, they can steal confidential information, disrupt critical services, deploy ransomware, or use the compromised resources for malicious purposes like cryptocurrency mining.
Detection coverage 2
AWS Console Login from New Region
mediumDetects an AWS user logging in from a previously unseen geographic region, potentially indicating account compromise.
AWS Console Login Activity
infoDetects any AWS console login activity.
Detection queries are available on the platform. Get full rules →