AWS Sign-In Console Login with Federated User

  1[metadata]
  2creation_date = "2024/08/19"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/10/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies when a federated user logs into the AWS Management Console. Federated users are typically given temporary
 11credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may
 12indicate a security risk, as MFA adds an additional layer of security to the authentication process. However, CloudTrail
 13does not record whether a Federated User utilized MFA as part of authentication — that MFA decision often occurs at a
 14third-party IdP (e.g., Okta, Azure AD, Google). As a result, CloudTrail fields such as MFAUsed / mfaAuthenticated appear
 15as “No/false” for federated console logins even if IdP MFA was required. This alert should be correlated with IdP
 16authentication logs to verify whether MFA was enforced for the session. Increase priority if you find a related
 17"GetSigninToken" event whose source IP / ASN / geo or user-agent differs from the subsequent "ConsoleLogin" (possible
 18token relay/abuse). Same-IP/UA pairs within a short window are more consistent with expected operator behavior and can
 19be triaged with lower severity.
 20"""
 21from = "now-6m"
 22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 23language = "kuery"
 24license = "Elastic License v2"
 25name = "AWS Sign-In Console Login with Federated User"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating AWS Sign-In Console Login with Federated User
 32
 33Federated users in AWS are granted temporary credentials to access resources, often without the need for a permanent account. This setup is convenient but can be risky if not properly secured with multi-factor authentication (MFA). Adversaries might exploit this by using stolen or misconfigured credentials to gain unauthorized access. CloudTrail alone cannot reliably indicate MFA usage for federated logins. This rule surfaces potentially risky access for analyst review and IdP correlation.
 34
 35### Possible investigation steps
 36
 37- **Identify the prinicipal involved**
 38  - `aws.cloudtrail.user_identity.arn` (federated session ARN)
 39  - `aws.cloudtrail.user_identity.session_context.session_issuer.*` (role ARN/name, account) of the identity that created the federated session.
 40- **Investigate the source context**
 41  - examine `source.ip`, ASN, `geo` fields, and `user_agent.original`
 42  - Compare against normal IP ranges, known user-agents and expected locations for this identity
 43#### Correlate to raise/lower priority
 44- **Check IdP MFA:** Find the corresponding IdP login around the same time and verify MFA was required and passed. If IdP shows **no MFA**, raise severity.
 45- **Federation token pivot:** Look for a nearby `signin.amazonaws.com` `GetSigninToken` API call.
 46  - **More suspicious:** token creation and console login from different public IPs/ASNs/geo fields.
 47  - **Less suspicious:** same IP and expected user agents within ~10–15 minutes (typical operator behavior).
 48- **Rareness/anomaly signals:** new/rare role or session issuer, rare source IP/ASN/geo, unusual time-of-day, multiple ConsoleLogin events from disparate networks in a short window.
 49- Review recent activity associated with the federated user to identify any unusual or unauthorized actions that may have occurred following the login event.
 50- Assess the configuration and policies of the Identity Provider (IdP) used for federated access to ensure MFA is enforced and properly configured for all users.
 51
 52### Related rules
 53- AWS Sign-In Token Created - f754e348-f36f-4510-8087-d7f29874cc12
 54
 55### False positive analysis
 56- Organizations using SSO for console access will routinely see federated `ConsoleLogin` where CloudTrail shows `MFAUsed: "No"` — this is expected due to IdP-side MFA.
 57- Internal tools/automation that create federation links (`GetSigninToken`) for operators.
 58- Maintain allow-lists for corp/VPN CIDRs, approved ASNs, and known automation user-agents.
 59
 60### Response and remediation
 61- If IdP confirms MFA and the source context is expected: document and close.
 62- If IdP shows no MFA or context is suspicious:
 63  - Notify the security team and relevant stakeholders about the potential security breach to ensure coordinated response efforts.
 64  - Disable/lock the IdP account pending review; invalidate IdP sessions if supported.
 65  - Temporarily restrict access (e.g., SCPs, session policies, IP-based conditions).
 66  - Conduct a thorough review of AWS CloudTrail logs to identify any suspicious activities or unauthorized access attempts associated with both the intitiating user and the federated user account.
 67  - Hunt for a preceding `GetSigninToken` from a different IP/ASN/UA (possible token relay).
 68  - Ensure IdP policy enforces MFA for AWS app access; re-verify role trust and least-privilege policies.
 69- Implement or enforce multi-factor authentication (MFA) for all federated user accounts to enhance security and prevent similar incidents in the future.
 70- Review and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege.
 71"""
 72references = ["https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"]
 73risk_score = 47
 74rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce"
 75severity = "medium"
 76tags = [
 77    "Domain: Cloud",
 78    "Data Source: Amazon Web Services",
 79    "Data Source: AWS",
 80    "Data Source: AWS Sign-In",
 81    "Use Case: Identity and Access Audit",
 82    "Tactic: Initial Access",
 83    "Resources: Investigation Guide",
 84]
 85timestamp_override = "event.ingested"
 86type = "query"
 87
 88query = '''
 89event.dataset: "aws.cloudtrail" and 
 90    event.provider: "signin.amazonaws.com" and 
 91    event.action : "ConsoleLogin" and 
 92    aws.cloudtrail.user_identity.type: "FederatedUser" and
 93    event.outcome: "success"
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1078"
101name = "Valid Accounts"
102reference = "https://attack.mitre.org/techniques/T1078/"
103[[rule.threat.technique.subtechnique]]
104id = "T1078.004"
105name = "Cloud Accounts"
106reference = "https://attack.mitre.org/techniques/T1078/004/"
107
108
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"
114
115[rule.investigation_fields]
116field_names = [
117    "@timestamp",
118    "user.name",
119    "user_agent.original",
120    "source.ip",
121    "aws.cloudtrail.user_identity.arn",
122    "aws.cloudtrail.user_identity.type",
123    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
124    "aws.cloudtrail.user_identity.session_context.session_issuer.type",
125    "aws.cloudtrail.user_identity.access_key_id",
126    "event.action",
127    "event.outcome",
128    "cloud.account.id",
129    "cloud.region",
130]