AWS Signin Single Factor Console Login with Federated User

Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA). Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/08/19"
 3integration = ['aws']
 4maturity = "production"
 5updated_date = "2024/10/09"
 6min_stack_comments = "ES|QL rule type in technical preview as of 8.13"
 7min_stack_version = "8.13.0"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA).
13Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS
14Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to
15the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.
16"""
17from = "now-9m"
18language = "esql"
19license = "Elastic License v2"
20name = "AWS Signin Single Factor Console Login with Federated User"
21references = [
22    "https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"
23]
24risk_score = 47
25rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce"
26severity = "medium"
27tags = [
28    "Domain: Cloud",
29    "Data Source: Amazon Web Services",
30    "Data Source: AWS",
31    "Data Source: AWS Sign-In",
32    "Use Case: Threat Detection",
33    "Tactic: Initial Access",
34]
35timestamp_override = "event.ingested"
36type = "esql"
37
38query = '''
39from logs-aws.cloudtrail-* metadata _id, _version, _index
40| where
41    event.provider == "signin.amazonaws.com"
42    and event.action == "GetSigninToken"
43    and aws.cloudtrail.event_type == "AwsConsoleSignIn"
44    and aws.cloudtrail.user_identity.type == "FederatedUser"
45| dissect aws.cloudtrail.additional_eventdata "{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}"
46| where mfa_used == "No"
47| keep @timestamp, event.action, aws.cloudtrail.event_type, aws.cloudtrail.user_identity.type
48'''
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1078"
54name = "Valid Accounts"
55reference = "https://attack.mitre.org/techniques/T1078/"
56[[rule.threat.technique.subtechnique]]
57id = "T1078.004"
58name = "Cloud Accounts"
59reference = "https://attack.mitre.org/techniques/T1078/004/"
60
61
62[rule.threat.tactic]
63id = "TA0001"
64name = "Initial Access"
65reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top