Multiple AWS Console Login Failures from same Source IP
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
Multiple AWS Console Login Failures from same Source IP | Standard | AWS CloudTrail | Credential Access: Brute Force: Password Guessing (T1110.001) | Critical |
About the rule
Rule Type
Standard
Rule Description
Identifies multiple failed login attempts to the AWS Management Console originating from a single source IP address within a short timeframe. This behavior is indicative of a brute-force or dictionary attack against AWS IAM user accounts.
Why this rule?
Repeated login failures from a single IP address indicate credential stuffing, brute force attacks, or compromised credentials being tested. This pattern suggests an active attempt to gain unauthorized access to your AWS environment. Detecting this behavior early helps prevent account compromise and potential cloud infrastructure takeover.
Severity
Critical
Rule journey
Attack chain scenario
Reconnaissance → Credential Access → Brute Force Attempt → Multiple Console Login Failures → Potential account takeover.
Impact
Successful brute forcing leads to unauthorized access to the AWS environment, potentially resulting in data exfiltration, resource deletion, or unauthorized infrastructure deployment.
Rule Requirement
Prerequisites
AWS CloudTrail must be enabled and logging to a central location. Ensure "ConsoleLogin" events are being captured.
Criteria
Action1:
actionname = "Failed logon"
| timewindow 4m
| groupby CALLER
| groupby IPADDRESS having COUNT >= 2
select Action1.timewindow.CALLER,Action1.timewindow.SOURCE,Action1.timewindow.LOG_EVENT_NAME,Action1.timewindow.IPADDRESS,Action1.timewindow.ERRORMESSAGE,Action1.timewindow.LOGINTO,Action1.timewindow.SOURCE_REGION,Action1.timewindow.USERAGENT,Action1.timewindow.ACCOUNTID
Detection
Execution Mode
realtime
Log Sources
AWS
MITRE ATT&CK
Credential Access: Brute Force: Password Guessing (T1110.001)
Future actions
Known False Positives
Users forgetting their passwords, automated scripts with expired credentials, or a large number of employees behind a single NAT/Proxy IP simultaneously logging in.
Next Steps
- Identification: Identify the source IP address and the specific IAM usernames being targeted.
- Analysis: Use geolocation data to determine if the IP is known for malicious activity or is outside of expected geographic regions.
- Response: Block the offending IP address at the WAF or security group level and notify the affected users to update their credentials and enable MFA.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[22] Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.[23] | ||
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. | ||
Refer to NIST guidelines when creating password policies. [24] | ||
Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
