An attacker with access to leaked or reused user credentials can leverage them to access the AWS Console, especially if an IAM user does not have multi-factor authentication (MFA) enabled.
The AWS Console is the cockpit to your cloud environment. Depending on the permissions of the compromised user, an attacker with access to the AWS Console can access everything in your cloud environment.
An IAM user can access the AWS Console if they have a login profile assigned to them. The best practice is to avoid using IAM users for humans and console access.
You can identify when an IAM user successfully or unsuccessfully authenticates to the AWS Console using the CloudTrail event
When the attribute
additionalEventData.MFAUser is set to
no, it means the authentication did not use MFA and may bear higher risk.
responseElements.ConsoleLogin indicates whether the authentication succeeded or failed.
GuardDuty also has a dedicated finding,
IAMUser/ConsoleLoginSuccess.B, to identify suspicious AWS Console authentication attempts.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.initial-access.console-login-without-mfa
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the following out-of-the-box rules:
Stratus Red Team - Console Login without MFA
Credentials Phishing for AWS Console Credentials
What do I do if I notice unauthorized activity in my AWS account?