AWS Federated User Console Login without MFA Enforcement
Detection of successful AWS Management Console logins by federated users, which pose a security risk due to potential lack of enforced MFA as CloudTrail does not reliably record MFA status for federated users.
This detection identifies when a federated user successfully logs into the AWS Management Console. Federated users are granted temporary credentials to access AWS resources. A potential security risk arises if MFA is not enforced, as adversaries might exploit stolen or misconfigured credentials to gain unauthorized access. CloudTrail alone cannot reliably indicate MFA usage for federated logins. The rule increases priority if a related 'GetSigninToken' event has a different source IP, ASN, geo, or user-agent from the subsequent 'ConsoleLogin', suggesting possible token relay or abuse. This alert requires correlation with Identity Provider (IdP) authentication logs to confirm MFA enforcement for the session. This detection is crucial for organizations relying on federated access for AWS resources, as it helps identify potentially compromised accounts or misconfigured access policies.
Attack Chain
- An attacker obtains valid credentials for a federated user, potentially through phishing, credential stuffing, or insider threat.
- The attacker leverages the stolen credentials to request a sign-in token using
GetSigninTokenfromsignin.amazonaws.com. - The attacker initiates a
ConsoleLoginevent to the AWS Management Console using the obtained sign-in token. - The
ConsoleLoginevent is recorded in AWS CloudTrail withaws.cloudtrail.user_identity.typeas "FederatedUser" andevent.outcomeas "success". - Defenders observe the
ConsoleLoginevent and correlate it with IdP logs to ascertain if MFA was enforced during authentication. - If MFA was not enforced and the source IP/ASN/geo are suspicious, the attacker proceeds to perform unauthorized actions within the AWS environment.
- The attacker may attempt lateral movement or privilege escalation using the federated user's granted permissions.
- The attacker achieves their objective, such as data exfiltration, resource destruction, or deploying malicious infrastructure.
Impact
A successful attack can lead to unauthorized access to sensitive data, compromise of critical infrastructure, and potential financial losses. The severity depends on the permissions granted to the compromised federated user. Organizations in all sectors using AWS federated access are at risk. Without proper MFA enforcement, the likelihood of successful exploitation significantly increases. Failure to detect and respond to such incidents can result in compliance violations and reputational damage.
Recommendation
- Deploy the following Sigma rule to detect successful AWS Management Console logins by federated users (see 'AWS Federated User Console Login' Sigma rule).
- Correlate identified
ConsoleLoginevents with Identity Provider (IdP) logs to verify MFA enforcement, focusing on discrepancies in source IP, ASN, geo, or user-agent between 'GetSigninToken' and 'ConsoleLogin' events. - Implement or enforce multi-factor authentication (MFA) for all federated user accounts to enhance security and prevent similar incidents in the future.
- Review and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege.
- Maintain allow-lists for corp/VPN CIDRs, approved ASNs, and known automation user-agents to reduce false positives.
Detection coverage 2
AWS Federated User Console Login
mediumDetects successful AWS Management Console logins by federated users based on CloudTrail logs.
AWS GetSigninToken from Unfamiliar Source
lowDetects GetSigninToken API calls originating from unusual IP addresses, ASNs or user agents.
Detection queries are available on the platform. Get full rules →