AWS

Subscribe
Download 365
Last updated Apr 30, 2025

AWS Console External Login

User logs in to the AWS console from an external location.

Query

Detects when the AWS CloudTrail audit log event name is ConsoleLogin, the source IP address does not belong to the “internal network range,” and the authentication result is Success.

| search event_name == "ConsoleLogin" 
| matchnet guid="bb994ca4-1471-4b91-89f2-99a61bd529b5" field=src_ip invert=t
| eval outcome = valueof(resp_params, "ConsoleLogin") 
| search outcome == "Success"
| rename account_id as cloud_account, aws_region as cloud_region
| lookup geoip src_ip output country as src_country, asn as src_asn

Message

  • AWS console external login: Cloud $cloud_account, Region $cloud_region, Account $user, Access IP $src_ip ($src_asn)

Output field order

  • _log_time, cloud_account, cloud_region, src_ip, src_country, src_asn, user, user_type, event_source, event_name, outcome, user_agent, error_message, additional_event_data, resp_params, tls_details

Threat Analysis

  • The attacker may have obtained AWS console credentials of the company account through phishing, data leakage, or password reuse.
  • A successful login event from an external network (IP, ASN, country) that is not the corporate intranet or VPN is judged to be a sign of initial access or re-entry (persistence) after intrusion through account takeover.
  • The attacker can leverage the obtained privileges from an external location to manipulate cloud resources, exfiltrate data, escalate privileges, and disguise as a legitimate user, making detection difficult.
  • Particularly, if detected on an administrator account, it could pose a critical threat to the organization’s entire cloud environment.

False Positive Types

  • An administrator may legitimately log in to the AWS console from an external network while on a business trip, working from home, or on the move.
  • If the VPN connection is unstable, an internal user may temporarily access via an external network as part of normal activity.
  • Contractors or outsourced personnel may legitimately access with approved accounts from external networks.
  • Access may also be detected as non-internal if it originates from public cloud proxies, CDNs, or mobile ISP environments.

Response Actions

  • When a detection event occurs, immediately confirm with the account owner whether the login attempt was legitimate.
  • Perform additional log analysis to check for simultaneous logins of the same account from different regions/ASNs, abnormal API calls, or privilege escalation attempts.
  • If MFA is not enabled for AWS IAM users and the Root account, enforce it without delay.
  • Use AWS IAM policies or IdP (SSO) conditional access to restrict console access only from the corporate intranet or VPN.
  • Correlate detection of external successful login events with IAM changes, new access key issuance, EC2 operations, and data access attempts to monitor anomalies.
  • If confirmed as unauthorized, immediately reset the account password, invalidate sessions, and revoke access keys if necessary.

MITRE ATT&CK