AWS IAM User Console Login from Multiple Geolocations

Identifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries within a short window. A single user authenticating from multiple geographic locations in a brief period is physically implausible and indicates that the account's credentials or console session are being used from more than one place at once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs in from their location while the attacker replays the captured session or credentials from their own infrastructure. Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of identity-provider impossible-travel sign-in detections.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/29"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/06/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries
 11within a short window. A single user authenticating from multiple geographic locations in a brief period is physically
 12implausible and indicates that the account's credentials or console session are being used from more than one place at
 13once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs
 14in from their location while the attacker replays the captured session or credentials from their own infrastructure.
 15Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even
 16when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of
 17identity-provider impossible-travel sign-in detections.
 18"""
 19false_positives = [
 20    """
 21    Legitimate users may appear in multiple countries within the window when using VPNs or proxies with exit nodes in
 22    different countries, when traveling near borders, or when mobile networks geolocate to different countries. Verify
 23    the source IPs and ASNs in "Esql.source_ip_values", confirm whether the locations are consistent with the user's
 24    expected activity, and exclude known VPN egress patterns after validation. Shared IAM users (an anti-pattern) used
 25    by multiple people will also match.
 26    """,
 27]
 28from = "now-65m"
 29interval = "10m"
 30language = "esql"
 31license = "Elastic License v2"
 32name = "AWS IAM User Console Login from Multiple Geolocations"
 33note = """## Triage and analysis
 34
 35### Investigating AWS IAM User Console Login from Multiple Geolocations
 36
 37This rule aggregates successful "ConsoleLogin" events for each IAM user over the lookback window and alerts when the logins originate from two or more distinct countries. Concurrent sign-ins from different geographies indicate the credentials or console session are in use from more than one location, a strong signal of adversary-in-the-middle (AiTM) phishing or session theft. AiTM relays the victim's live MFA, so the console login records MFA as used; the divergent geolocations, not the MFA field, are the indicator.
 38
 39### Possible investigation steps
 40
 41- Review "Esql.source_geo_country_iso_code_values" and "Esql.source_ip_values" to identify the locations and networks, and determine which (if any) is the user's expected origin.
 42- Compare "Esql.timestamp_min" and "Esql.timestamp_max" to assess how implausible the travel is.
 43- Identify the user in "aws.cloudtrail.user_identity.arn" and check for hands-on-keyboard activity immediately after the logins (CreateAccessKey, login profile or MFA changes, IAM policy changes, data access).
 44- Determine whether any of the source networks are VPNs, proxies, or hosting providers inconsistent with the user.
 45
 46### False positive analysis
 47
 48- VPN/proxy exit nodes, border travel, and mobile roaming can place a legitimate user in multiple countries. Confirm the activity is expected and exclude known networks after validation. Shared IAM users will also trigger this and should be remediated.
 49
 50### Response and remediation
 51
 52- If unauthorized, revoke the user's console sessions, reset the password and MFA, and rotate access keys.
 53- Review and revert changes made during the sessions, and migrate console access to IAM Identity Center with phishing-resistant MFA (FIDO2/passkeys), which defeats AiTM relay.
 54
 55### Additional information
 56
 57- [AWS sign-in CloudTrail events](https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
 58"""
 59references = ["https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond/"]
 60risk_score = 47
 61rule_id = "5301ac83-7a43-4c92-95e7-c372afea807d"
 62severity = "medium"
 63tags = [
 64    "Domain: Cloud",
 65    "Domain: Identity",
 66    "Data Source: AWS",
 67    "Data Source: Amazon Web Services",
 68    "Data Source: AWS Sign-In",
 69    "Use Case: Identity and Access Audit",
 70    "Tactic: Initial Access",
 71    "Tactic: Credential Access",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "esql"
 76
 77query = '''
 78FROM logs-aws.cloudtrail-*
 79| WHERE event.provider == "signin.amazonaws.com"
 80  AND event.action == "ConsoleLogin"
 81  AND event.outcome == "success"
 82  AND aws.cloudtrail.user_identity.type == "IAMUser"
 83  AND source.geo.country_iso_code IS NOT NULL
 84| STATS
 85    Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code),
 86    Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.as.organization.name),
 87    Esql.source_ip_values = VALUES(source.ip),
 88    Esql.source_geo_country_iso_code_values = VALUES(source.geo.country_iso_code),
 89    Esql.timestamp_min = MIN(@timestamp),
 90    Esql.timestamp_max = MAX(@timestamp)
 91  BY aws.cloudtrail.user_identity.arn, cloud.account.id
 92| WHERE Esql.source_geo_country_iso_code_count_distinct >= 2
 93| KEEP aws.cloudtrail.user_identity.arn, cloud.account.id, Esql.source_geo_country_iso_code_count_distinct, Esql.source_as_organization_name_count_distinct, Esql.source_ip_values, Esql.source_geo_country_iso_code_values, Esql.timestamp_min, Esql.timestamp_max
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1078"
101name = "Valid Accounts"
102reference = "https://attack.mitre.org/techniques/T1078/"
103[[rule.threat.technique.subtechnique]]
104id = "T1078.004"
105name = "Cloud Accounts"
106reference = "https://attack.mitre.org/techniques/T1078/004/"
107
108
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1539"
118name = "Steal Web Session Cookie"
119reference = "https://attack.mitre.org/techniques/T1539/"
120
121
122[rule.threat.tactic]
123id = "TA0006"
124name = "Credential Access"
125reference = "https://attack.mitre.org/tactics/TA0006/"

Triage and analysis

Investigating AWS IAM User Console Login from Multiple Geolocations

This rule aggregates successful "ConsoleLogin" events for each IAM user over the lookback window and alerts when the logins originate from two or more distinct countries. Concurrent sign-ins from different geographies indicate the credentials or console session are in use from more than one location, a strong signal of adversary-in-the-middle (AiTM) phishing or session theft. AiTM relays the victim's live MFA, so the console login records MFA as used; the divergent geolocations, not the MFA field, are the indicator.

Possible investigation steps

  • Review "Esql.source_geo_country_iso_code_values" and "Esql.source_ip_values" to identify the locations and networks, and determine which (if any) is the user's expected origin.
  • Compare "Esql.timestamp_min" and "Esql.timestamp_max" to assess how implausible the travel is.
  • Identify the user in "aws.cloudtrail.user_identity.arn" and check for hands-on-keyboard activity immediately after the logins (CreateAccessKey, login profile or MFA changes, IAM policy changes, data access).
  • Determine whether any of the source networks are VPNs, proxies, or hosting providers inconsistent with the user.

False positive analysis

  • VPN/proxy exit nodes, border travel, and mobile roaming can place a legitimate user in multiple countries. Confirm the activity is expected and exclude known networks after validation. Shared IAM users will also trigger this and should be remediated.

Response and remediation

  • If unauthorized, revoke the user's console sessions, reset the password and MFA, and rotate access keys.
  • Review and revert changes made during the sessions, and migrate console access to IAM Identity Center with phishing-resistant MFA (FIDO2/passkeys), which defeats AiTM relay.

Additional information

References

Related rules

to-top