About
An attacker with access to leaked or reused user credentials can leverage them to access the AWS Console, especially if an IAM user does not have multi-factor authentication (MFA) enabled.
Understanding Impact
Business Impact
The AWS Console is the cockpit to your cloud environment. Depending on the permissions of the compromised user, an attacker with access to the AWS Console can access everything in your cloud environment.
Technical Impact
An IAM user can access the AWS Console if they have a login profile assigned to them. The best practice is to avoid using IAM users for humans and console access.
Detection
You can identify when an IAM user successfully or unsuccessfully authenticates to the AWS Console using the CloudTrail event ConsoleLogin.
When the attribute additionalEventData.MFAUser is set to no, it means the authentication did not use MFA and may bear higher risk.
The attribute responseElements.ConsoleLogin indicates whether the authentication succeeded or failed.
GuardDuty also has a dedicated finding, IAMUser/ConsoleLoginSuccess.B, to identify suspicious AWS Console authentication attempts.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.initial-access.console-login-without-mfaSee also the related documentation.
How Datadog can help
Cloud SIEM
Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:
References
Stratus Red Team - Console Login without MFA
stratus-red-team.cloud
Credentials Phishing for AWS Console Credentials
ramimac.me
What do I do if I notice unauthorized activity in my AWS account?
aws documentation