Compromising AWS Console credentials







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




An attacker with access to leaked or reused user credentials can leverage them to access the AWS Console, especially if an IAM user does not have multi-factor authentication (MFA) enabled.

Understanding Impact

Business Impact

The AWS Console is the cockpit to your cloud environment. Depending on the permissions of the compromised user, an attacker with access to the AWS Console can access everything in your cloud environment.

Technical Impact

An IAM user can access the AWS Console if they have a login profile assigned to them. The best practice is to avoid using IAM users for humans and console access.


You can identify when an IAM user successfully or unsuccessfully authenticates to the AWS Console using the CloudTrail event ConsoleLogin.

When the attribute additionalEventData.MFAUser is set to no, it means the authentication did not use MFA and may bear higher risk.

The attribute responseElements.ConsoleLogin indicates whether the authentication succeeded or failed.

GuardDuty also has a dedicated finding, IAMUser/ConsoleLoginSuccess.B, to identify suspicious AWS Console authentication attempts.

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate aws.initial-access.console-login-without-mfa

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:


Stratus Red Team - Console Login without MFA

Credentials Phishing for AWS Console Credentials

What do I do if I notice unauthorized activity in my AWS account?

aws documentation

Did you find this article helpful?

Related Vulnerabilities and Threats