AWS IAM User Console Login from Multiple Geolocations
Identifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries within a short window. A single user authenticating from multiple geographic locations in a brief period is physically implausible and indicates that the account's credentials or console session are being used from more than one place at once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs in from their location while the attacker replays the captured session or credentials from their own infrastructure. Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of identity-provider impossible-travel sign-in detections.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/29"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2026/06/29"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries
11within a short window. A single user authenticating from multiple geographic locations in a brief period is physically
12implausible and indicates that the account's credentials or console session are being used from more than one place at
13once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs
14in from their location while the attacker replays the captured session or credentials from their own infrastructure.
15Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even
16when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of
17identity-provider impossible-travel sign-in detections.
18"""
19false_positives = [
20 """
21 Legitimate users may appear in multiple countries within the window when using VPNs or proxies with exit nodes in
22 different countries, when traveling near borders, or when mobile networks geolocate to different countries. Verify
23 the source IPs and ASNs in "Esql.source_ip_values", confirm whether the locations are consistent with the user's
24 expected activity, and exclude known VPN egress patterns after validation. Shared IAM users (an anti-pattern) used
25 by multiple people will also match.
26 """,
27]
28from = "now-65m"
29interval = "10m"
30language = "esql"
31license = "Elastic License v2"
32name = "AWS IAM User Console Login from Multiple Geolocations"
33note = """## Triage and analysis
34
35### Investigating AWS IAM User Console Login from Multiple Geolocations
36
37This rule aggregates successful "ConsoleLogin" events for each IAM user over the lookback window and alerts when the logins originate from two or more distinct countries. Concurrent sign-ins from different geographies indicate the credentials or console session are in use from more than one location, a strong signal of adversary-in-the-middle (AiTM) phishing or session theft. AiTM relays the victim's live MFA, so the console login records MFA as used; the divergent geolocations, not the MFA field, are the indicator.
38
39### Possible investigation steps
40
41- Review "Esql.source_geo_country_iso_code_values" and "Esql.source_ip_values" to identify the locations and networks, and determine which (if any) is the user's expected origin.
42- Compare "Esql.timestamp_min" and "Esql.timestamp_max" to assess how implausible the travel is.
43- Identify the user in "aws.cloudtrail.user_identity.arn" and check for hands-on-keyboard activity immediately after the logins (CreateAccessKey, login profile or MFA changes, IAM policy changes, data access).
44- Determine whether any of the source networks are VPNs, proxies, or hosting providers inconsistent with the user.
45
46### False positive analysis
47
48- VPN/proxy exit nodes, border travel, and mobile roaming can place a legitimate user in multiple countries. Confirm the activity is expected and exclude known networks after validation. Shared IAM users will also trigger this and should be remediated.
49
50### Response and remediation
51
52- If unauthorized, revoke the user's console sessions, reset the password and MFA, and rotate access keys.
53- Review and revert changes made during the sessions, and migrate console access to IAM Identity Center with phishing-resistant MFA (FIDO2/passkeys), which defeats AiTM relay.
54
55### Additional information
56
57- [AWS sign-in CloudTrail events](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
58"""
59references = ["https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond/"]
60risk_score = 47
61rule_id = "5301ac83-7a43-4c92-95e7-c372afea807d"
62severity = "medium"
63tags = [
64 "Domain: Cloud",
65 "Domain: Identity",
66 "Data Source: AWS",
67 "Data Source: Amazon Web Services",
68 "Data Source: AWS Sign-In",
69 "Use Case: Identity and Access Audit",
70 "Tactic: Initial Access",
71 "Tactic: Credential Access",
72 "Resources: Investigation Guide",
73]
74timestamp_override = "event.ingested"
75type = "esql"
76
77query = '''
78FROM logs-aws.cloudtrail-*
79| WHERE event.provider == "signin.amazonaws.com"
80 AND event.action == "ConsoleLogin"
81 AND event.outcome == "success"
82 AND aws.cloudtrail.user_identity.type == "IAMUser"
83 AND source.geo.country_iso_code IS NOT NULL
84| STATS
85 Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code),
86 Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.as.organization.name),
87 Esql.source_ip_values = VALUES(source.ip),
88 Esql.source_geo_country_iso_code_values = VALUES(source.geo.country_iso_code),
89 Esql.timestamp_min = MIN(@timestamp),
90 Esql.timestamp_max = MAX(@timestamp)
91 BY aws.cloudtrail.user_identity.arn, cloud.account.id
92| WHERE Esql.source_geo_country_iso_code_count_distinct >= 2
93| KEEP aws.cloudtrail.user_identity.arn, cloud.account.id, Esql.source_geo_country_iso_code_count_distinct, Esql.source_as_organization_name_count_distinct, Esql.source_ip_values, Esql.source_geo_country_iso_code_values, Esql.timestamp_min, Esql.timestamp_max
94'''
95
96
97[[rule.threat]]
98framework = "MITRE ATT&CK"
99[[rule.threat.technique]]
100id = "T1078"
101name = "Valid Accounts"
102reference = "https://attack.mitre.org/techniques/T1078/"
103[[rule.threat.technique.subtechnique]]
104id = "T1078.004"
105name = "Cloud Accounts"
106reference = "https://attack.mitre.org/techniques/T1078/004/"
107
108
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1539"
118name = "Steal Web Session Cookie"
119reference = "https://attack.mitre.org/techniques/T1539/"
120
121
122[rule.threat.tactic]
123id = "TA0006"
124name = "Credential Access"
125reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Investigating AWS IAM User Console Login from Multiple Geolocations
This rule aggregates successful "ConsoleLogin" events for each IAM user over the lookback window and alerts when the logins originate from two or more distinct countries. Concurrent sign-ins from different geographies indicate the credentials or console session are in use from more than one location, a strong signal of adversary-in-the-middle (AiTM) phishing or session theft. AiTM relays the victim's live MFA, so the console login records MFA as used; the divergent geolocations, not the MFA field, are the indicator.
Possible investigation steps
- Review "Esql.source_geo_country_iso_code_values" and "Esql.source_ip_values" to identify the locations and networks, and determine which (if any) is the user's expected origin.
- Compare "Esql.timestamp_min" and "Esql.timestamp_max" to assess how implausible the travel is.
- Identify the user in "aws.cloudtrail.user_identity.arn" and check for hands-on-keyboard activity immediately after the logins (CreateAccessKey, login profile or MFA changes, IAM policy changes, data access).
- Determine whether any of the source networks are VPNs, proxies, or hosting providers inconsistent with the user.
False positive analysis
- VPN/proxy exit nodes, border travel, and mobile roaming can place a legitimate user in multiple countries. Confirm the activity is expected and exclude known networks after validation. Shared IAM users will also trigger this and should be remediated.
Response and remediation
- If unauthorized, revoke the user's console sessions, reset the password and MFA, and rotate access keys.
- Review and revert changes made during the sessions, and migrate console access to IAM Identity Center with phishing-resistant MFA (FIDO2/passkeys), which defeats AiTM relay.
Additional information
References
Related rules
- AWS EC2 Instance Console Login via Assumed Role
- AWS Management Console Brute Force of Root User Identity
- AWS Management Console Root Login
- AWS Sign-In Console Login with Federated User
- AWS Sign-In Root Password Recovery Requested