AWS Signin Single Factor Console Login with Federated User
Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA). Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/19"
3integration = ['aws']
4maturity = "production"
5updated_date = "2024/08/19"
6min_stack_comments = "ES|QL rule type in technical preview as of 8.13"
7min_stack_version = "8.13.0"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA).
13Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS
14Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to
15the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.
16"""
17from = "now-9m"
18language = "esql"
19license = "Elastic License v2"
20name = "AWS Signin Single Factor Console Login with Federated User"
21references = [
22 "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"
23]
24risk_score = 47
25rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce"
26severity = "medium"
27tags = [
28 "Domain: Cloud",
29 "Data Source: Amazon Web Services",
30 "Data Source: AWS",
31 "Data Source: AWS Sign-In",
32 "Use Case: Threat Detection",
33 "Tactic: Initial Access",
34]
35timestamp_override = "event.ingested"
36type = "esql"
37
38query = '''
39from logs-aws.cloudtrail-*
40| where
41 event.provider == "signin.amazonaws.com"
42 and event.action == "GetSigninToken"
43 and aws.cloudtrail.event_type == "AwsConsoleSignIn"
44 and aws.cloudtrail.user_identity.type == "FederatedUser"
45| dissect aws.cloudtrail.additional_eventdata "{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}"
46| where mfa_used == "No"
47'''
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1078"
53name = "Valid Accounts"
54reference = "https://attack.mitre.org/techniques/T1078/"
55[[rule.threat.technique.subtechnique]]
56id = "T1078.004"
57name = "Cloud Accounts"
58reference = "https://attack.mitre.org/techniques/T1078/004/"
59
60
61[rule.threat.tactic]
62id = "TA0001"
63name = "Initial Access"
64reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- AWS S3 Object Versioning Suspended
- AWS Lambda Function Policy Updated to Allow Public Invocation
- AWS Lambda Layer Added to Existing Function
- AWS S3 Bucket Policy Added to Share with External Account
- Insecure AWS EC2 VPC Security Group Ingress Rule Added