← Back to Explore
sigmamediumHunting
AWS ConsoleLogin Failed Authentication
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
Detection Query
selection:
eventName: ConsoleLogin
errorMessage: Failed authentication
condition: selection
Author
Ivan Saakov, Nasreddine Bencherchali
Created
2025-10-19
Data Sources
awscloudtrail
Platforms
aws
References
- https://naikordian.github.io/blog/posts/brute-force-aws-console/
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
Tags
attack.credential-accessattack.t1110
Raw Content
title: AWS ConsoleLogin Failed Authentication
id: 6393e346-1977-46ef-8987-ad414a145fad
status: experimental
description: |
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
references:
- https://naikordian.github.io/blog/posts/brute-force-aws-console/
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
author: Ivan Saakov, Nasreddine Bencherchali
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1110
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
errorMessage: 'Failed authentication'
condition: selection
falsepositives:
- Legitimate failed login attempts by authorized users. Investigate the source of repeated failed login attempts.
level: medium