AWS IAM User Console Login from Multiple Geolocations

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS IAM User Console Login from Multiple Geolocations

edit

Identifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries within a short window. A single user authenticating from multiple geographic locations in a brief period is physically implausible and indicates that the account’s credentials or console session are being used from more than one place at once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs in from their location while the attacker replays the captured session or credentials from their own infrastructure. Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of identity-provider impossible-travel sign-in detections.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 10m

Searches indices from: now-65m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Identity
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS Sign-In
  • Use Case: Identity and Access Audit
  • Tactic: Initial Access
  • Tactic: Credential Access
  • Resources: Investigation Guide

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating AWS IAM User Console Login from Multiple Geolocations

This rule aggregates successful "ConsoleLogin" events for each IAM user over the lookback window and alerts when the logins originate from two or more distinct countries. Concurrent sign-ins from different geographies indicate the credentials or console session are in use from more than one location, a strong signal of adversary-in-the-middle (AiTM) phishing or session theft. AiTM relays the victim’s live MFA, so the console login records MFA as used; the divergent geolocations, not the MFA field, are the indicator.

Possible investigation steps

  • Review "Esql.source_geo_country_iso_code_values" and "Esql.source_ip_values" to identify the locations and networks, and determine which (if any) is the user’s expected origin.
  • Compare "Esql.timestamp_min" and "Esql.timestamp_max" to assess how implausible the travel is.
  • Identify the user in "aws.cloudtrail.user_identity.arn" and check for hands-on-keyboard activity immediately after the logins (CreateAccessKey, login profile or MFA changes, IAM policy changes, data access).
  • Determine whether any of the source networks are VPNs, proxies, or hosting providers inconsistent with the user.

False positive analysis

  • VPN/proxy exit nodes, border travel, and mobile roaming can place a legitimate user in multiple countries. Confirm the activity is expected and exclude known networks after validation. Shared IAM users will also trigger this and should be remediated.

Response and remediation

  • If unauthorized, revoke the user’s console sessions, reset the password and MFA, and rotate access keys.
  • Review and revert changes made during the sessions, and migrate console access to IAM Identity Center with phishing-resistant MFA (FIDO2/passkeys), which defeats AiTM relay.

Additional information

Rule query

edit
FROM logs-aws.cloudtrail-*
| WHERE event.provider == "signin.amazonaws.com"
  AND event.action == "ConsoleLogin"
  AND event.outcome == "success"
  AND aws.cloudtrail.user_identity.type == "IAMUser"
  AND source.geo.country_iso_code IS NOT NULL
| STATS
    Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code),
    Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.as.organization.name),
    Esql.source_ip_values = VALUES(source.ip),
    Esql.source_geo_country_iso_code_values = VALUES(source.geo.country_iso_code),
    Esql.timestamp_min = MIN(@timestamp),
    Esql.timestamp_max = MAX(@timestamp)
  BY aws.cloudtrail.user_identity.arn, cloud.account.id
| WHERE Esql.source_geo_country_iso_code_count_distinct >= 2
| KEEP aws.cloudtrail.user_identity.arn, cloud.account.id, Esql.source_geo_country_iso_code_count_distinct, Esql.source_as_organization_name_count_distinct, Esql.source_ip_values, Esql.source_geo_country_iso_code_values, Esql.timestamp_min, Esql.timestamp_max

Framework: MITRE ATT&CKTM