detection.wiki

AWS Sign-In AWS-signin

4 operations, identified by eventName in the audit log.

eventNameDescription
_catch_allCatch-all entry for AWS-signin rules that match the service but not a specific eventName.
ConsoleLoginRecords an authentication attempt to the AWS Management Console, including whether it succeeded or failed.
GetSigninTokenRetrieves a sign-in token used to grant console access to a federated user via the AWS federation endpoint.
PasswordRecoveryRequestedRecords a request to initiate the root account password recovery process.

_catch_all: AWS-signin (catch-all)

#
Service
AWS-signin

Description

Catch-all entry for AWS-signin rules that match the service but not a specific eventName.

Fields #

NameDescription
eventNameThe name of the API action that was called.
eventSourceThe AWS service endpoint that received the request (e.g. iam.amazonaws.com).
eventTypeCloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
userIdentityThe IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
sourceIPAddressIP address of the caller, or the AWS service principal for service-initiated calls.
awsRegionAWS Region the request was made to.
requestParametersParameters sent with the request. Shape is action-specific; null when none.
responseElementsResponse elements. Shape is action-specific; null for reads or when absent.
errorCodeAWS service error code when the request failed. Absent on success.
errorMessageDescription of the error when errorCode is present.

ConsoleLogin

#
Service
AWS-signin

Description

Records an authentication attempt to the AWS Management Console, including whether it succeeded or failed.

Fields #

NameDescription
eventNameThe name of the API action that was called.
eventSourceThe AWS service endpoint that received the request (e.g. iam.amazonaws.com).
eventTypeCloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
userIdentityThe IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
sourceIPAddressIP address of the caller, or the AWS service principal for service-initiated calls.
awsRegionAWS Region the request was made to.
requestParametersParameters sent with the request. Shape is action-specific; null when none.
responseElementsResponse elements. Shape is action-specific; null for reads or when absent.
errorCodeAWS service error code when the request failed. Absent on success.
errorMessageDescription of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_Nameeqsignin.amazonaws.com4 ruleselastic
aws::eventNameeqConsoleLogin4 ruleskusto, panther, sigma, splunk
aws::eventSourceeqsignin.amazonaws.com4 rulespanther, sigma
security_result.actioneqALLOW4 ruleschronicle
security_result.actioneqBLOCK3 ruleschronicle
EventTypeeqConsoleLogin3 ruleselastic
event.outcomeeqsuccess3 ruleselastic
event.outcomeeqfailure1 ruleelastic
aws::userIdentity.typeeqRoot2 ruleselastic, panther, sigma
aws::userIdentity.typeeqAssumedRole1 ruleelastic, kusto, panther, sigma
responseElements.ConsoleLogineqFailure2 rulespanther, sigma
security_result.descriptioneqReason: Failed authentication2 ruleschronicle
additionalEventData.MFAUsedeqYes1 rulepanther, sigma, splunk
user.idcontains:i-1 ruleelastic

Detection Rules #

View all rules referencing this event →

Sigma #

Show 1 more (4 total)
  • Many Failed Logins source high: Detects multiple failed console login attempts, which may indicate an attacker attempting password guessing or password spraying. This rule can be evaded if the attacker uses a different source IP address for each login attempt, so you may want to not group by source IP address to detect that evasion. Also, you may want to group on user agents as well to reduce false positives, however, that will also make it easier to evade detection.

Elastic #

  • AWS Management Console Brute Force of Root User Identity source high: Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.
  • AWS Management Console Root Login source medium: Identifies a successful login to the AWS Management Console by the Root user.
  • AWS Sign-In Console Login with Federated User source medium: Identifies when a federated user logs into the AWS Management Console. Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process. However, CloudTrail does not record whether a Federated User utilized MFA as part of authentication — that MFA decision often occurs at a third-party IdP (e.g., Okta, Azure AD, Google). As a result, CloudTrail fields such as MFAUsed / mfaAuthenticated appear as “No/false” for federated console logins even if IdP MFA was required. This alert should be correlated with IdP authentication logs to verify whether MFA was enforced for the session. Increase priority if you find a related "GetSigninToken" event whose source IP / ASN / geo or user-agent differs from the subsequent "ConsoleLogin" (possible token relay/abuse). Same-IP/UA pairs within a short window are more consistent with expected operator behavior and can be triaged with lower severity.
Show 1 more (4 total)
  • AWS EC2 Instance Console Login via Assumed Role source high: Detects successful AWS Management Console or federation login activity performed using an EC2 instance’s assumed role credentials. EC2 instances typically use temporary credentials to make API calls, not to authenticate interactively via the console. A successful "ConsoleLogin" or "GetSigninToken" event using a session pattern that includes "i-" (the EC2 instance ID) is highly anomalous and may indicate that an adversary obtained the instance’s temporary credentials from the instance metadata service (IMDS) and used them to access the console. Such activity can enable lateral movement, privilege escalation, or persistence within the AWS account.↳ also matches GetSigninToken

YARA-L #

Show 3 more (6 total)

GetSigninToken

#
Service
AWS-signin

Description

Retrieves a sign-in token used to grant console access to a federated user via the AWS federation endpoint.

Fields #

NameDescription
eventNameThe name of the API action that was called.
eventSourceThe AWS service endpoint that received the request (e.g. iam.amazonaws.com).
eventTypeCloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
userIdentityThe IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
sourceIPAddressIP address of the caller, or the AWS service principal for service-initiated calls.
awsRegionAWS Region the request was made to.
requestParametersParameters sent with the request. Shape is action-specific; null when none.
responseElementsResponse elements. Shape is action-specific; null for reads or when absent.
errorCodeAWS service error code when the request failed. Absent on success.
errorMessageDescription of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_Nameeqsignin.amazonaws.com2 ruleselastic
aws::eventNameeqGetSigninToken1 rulepanther, sigma
aws::eventSourceeqsignin.amazonaws.com1 rulepanther, sigma
aws::userIdentity.typeeqAssumedRole1 ruleelastic, kusto, panther, sigma
user.idcontains:i-1 ruleelastic

Detection Rules #

View all rules referencing this event →

Sigma #

  • AWS Console GetSigninToken Potential Abuse source medium: Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

Elastic #

  • AWS Sign-In Token Created source low: Captures requests to the AWS federation endpoint (signin.amazonaws.com) for GetSigninToken. This API exchanges existing temporary AWS credentials (e.g., from STS GetFederationToken or AssumeRole) for a short-lived sign-in token that is embedded in a one-click URL to the AWS Management Console. It is commonly used by custom federation tools and automation to pivot from programmatic access to a browser session. This is a building block rule meant to be used for correlation with other rules to detect suspicious activity.
  • AWS EC2 Instance Console Login via Assumed Role source high: Detects successful AWS Management Console or federation login activity performed using an EC2 instance’s assumed role credentials. EC2 instances typically use temporary credentials to make API calls, not to authenticate interactively via the console. A successful "ConsoleLogin" or "GetSigninToken" event using a session pattern that includes "i-" (the EC2 instance ID) is highly anomalous and may indicate that an adversary obtained the instance’s temporary credentials from the instance metadata service (IMDS) and used them to access the console. Such activity can enable lateral movement, privilege escalation, or persistence within the AWS account.↳ also matches ConsoleLogin

PasswordRecoveryRequested

#
Service
AWS-signin

Description

Records a request to initiate the root account password recovery process.

Fields #

NameDescription
eventNameThe name of the API action that was called.
eventSourceThe AWS service endpoint that received the request (e.g. iam.amazonaws.com).
eventTypeCloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
userIdentityThe IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
sourceIPAddressIP address of the caller, or the AWS service principal for service-initiated calls.
awsRegionAWS Region the request was made to.
requestParametersParameters sent with the request. Shape is action-specific; null when none.
responseElementsResponse elements. Shape is action-specific; null for reads or when absent.
errorCodeAWS service error code when the request failed. Absent on success.
errorMessageDescription of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_Nameeqsignin.amazonaws.com1 ruleelastic

Detection Rules #

View all rules referencing this event →

Elastic #

  • AWS Sign-In Root Password Recovery Requested source high: Identifies a password recovery request for the AWS account root user. In AWS, the PasswordRecoveryRequested event from signin.amazonaws.com applies to the root user’s “Forgot your password?” flow. Other identity types, like IAM and federated users, do not generate this event. This alert indicates that someone initiated the root password reset workflow for this account. Verify whether this was an expected action and review identity provider notifications/email to confirm legitimacy.