AWS ConsoleLogin Failed Authentication

calendar Oct 22, 2025 · attack.credential-access attack.t1110  ·
Share on: linkedin copy

Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.

Sigma rule (View on GitHub)

 1title: AWS ConsoleLogin Failed Authentication
 2id: 6393e346-1977-46ef-8987-ad414a145fad
 3status: experimental
 4description: |
 5        Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
 6references:
 7    - https://naikordian.github.io/blog/posts/brute-force-aws-console/
 8    - https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm
 9    - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
10author: Ivan Saakov, Nasreddine Bencherchali
11date: 2025-10-19
12tags:
13    - attack.credential-access
14    - attack.t1110
15logsource:
16    product: aws
17    service: cloudtrail
18detection:
19    selection:
20        eventName: 'ConsoleLogin'
21        errorMessage: 'Failed authentication'
22    condition: selection
23falsepositives:
24    - Legitimate failed login attempts by authorized users. Investigate the source of repeated failed login attempts.
25level: medium

References

  • How to brutefore AWS console sign-in

    Introduction I saw some vendors have a detection rule about AWS Console brute force login and I was curious if there any AWS console brute force tool. So I start google but found nothing and I think there should be a way to brute force.


    Read More

  • AWS Management Console Brute Force of Root User Identity

    AWS Management Console Brute Force of Root User Identity Rule ID PH_Rule_ES_IMPORT_AWS_3 Default Status Disabled Description Identifies a high number of failed authentication attempts to the AWS ma...


    Read More

  • {"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "accountId": "111111111111", "accessKeyId": "", "userName": "gowthamaraj_cli"}, "eventTime": "20...


    Read More

Related rules

to-top