AWS Signin Single Factor Console Login with Federated User

edit

AWS Signin Single Factor Console Login with Federated User

edit

Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA). Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: Amazon Web Services
  • Data Source: AWS
  • Data Source: AWS Sign-In
  • Use Case: Threat Detection
  • Tactic: Initial Access

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
from logs-aws.cloudtrail-* metadata _id, _version, _index
| where
    event.provider == "signin.amazonaws.com"
    and event.action == "GetSigninToken"
    and aws.cloudtrail.event_type == "AwsConsoleSignIn"
    and aws.cloudtrail.user_identity.type == "FederatedUser"
| dissect aws.cloudtrail.additional_eventdata "{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}"
| where mfa_used == "No"
| keep @timestamp, event.action, aws.cloudtrail.event_type, aws.cloudtrail.user_identity.type

Framework: MITRE ATT&CKTM