AWS IAM User Console Login from Multiple Geolocations
editAWS IAM User Console Login from Multiple Geolocations
editIdentifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries within a short window. A single user authenticating from multiple geographic locations in a brief period is physically implausible and indicates that the account’s credentials or console session are being used from more than one place at once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs in from their location while the attacker replays the captured session or credentials from their own infrastructure. Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of identity-provider impossible-travel sign-in detections.
Rule type: esql
Rule indices: None
Severity: medium
Risk score: 47
Runs every: 10m
Searches indices from: now-65m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: Identity
- Data Source: AWS
- Data Source: Amazon Web Services
- Data Source: AWS Sign-In
- Use Case: Identity and Access Audit
- Tactic: Initial Access
- Tactic: Credential Access
- Resources: Investigation Guide
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating AWS IAM User Console Login from Multiple Geolocations
This rule aggregates successful "ConsoleLogin" events for each IAM user over the lookback window and alerts when the logins originate from two or more distinct countries. Concurrent sign-ins from different geographies indicate the credentials or console session are in use from more than one location, a strong signal of adversary-in-the-middle (AiTM) phishing or session theft. AiTM relays the victim’s live MFA, so the console login records MFA as used; the divergent geolocations, not the MFA field, are the indicator.
Possible investigation steps
- Review "Esql.source_geo_country_iso_code_values" and "Esql.source_ip_values" to identify the locations and networks, and determine which (if any) is the user’s expected origin.
- Compare "Esql.timestamp_min" and "Esql.timestamp_max" to assess how implausible the travel is.
- Identify the user in "aws.cloudtrail.user_identity.arn" and check for hands-on-keyboard activity immediately after the logins (CreateAccessKey, login profile or MFA changes, IAM policy changes, data access).
- Determine whether any of the source networks are VPNs, proxies, or hosting providers inconsistent with the user.
False positive analysis
- VPN/proxy exit nodes, border travel, and mobile roaming can place a legitimate user in multiple countries. Confirm the activity is expected and exclude known networks after validation. Shared IAM users will also trigger this and should be remediated.
Response and remediation
- If unauthorized, revoke the user’s console sessions, reset the password and MFA, and rotate access keys.
- Review and revert changes made during the sessions, and migrate console access to IAM Identity Center with phishing-resistant MFA (FIDO2/passkeys), which defeats AiTM relay.
Additional information
Rule query
editFROM logs-aws.cloudtrail-*
| WHERE event.provider == "signin.amazonaws.com"
AND event.action == "ConsoleLogin"
AND event.outcome == "success"
AND aws.cloudtrail.user_identity.type == "IAMUser"
AND source.geo.country_iso_code IS NOT NULL
| STATS
Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code),
Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.as.organization.name),
Esql.source_ip_values = VALUES(source.ip),
Esql.source_geo_country_iso_code_values = VALUES(source.geo.country_iso_code),
Esql.timestamp_min = MIN(@timestamp),
Esql.timestamp_max = MAX(@timestamp)
BY aws.cloudtrail.user_identity.arn, cloud.account.id
| WHERE Esql.source_geo_country_iso_code_count_distinct >= 2
| KEEP aws.cloudtrail.user_identity.arn, cloud.account.id, Esql.source_geo_country_iso_code_count_distinct, Esql.source_as_organization_name_count_distinct, Esql.source_ip_values, Esql.source_geo_country_iso_code_values, Esql.timestamp_min, Esql.timestamp_max
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Steal Web Session Cookie
- ID: T1539
- Reference URL: https://attack.mitre.org/techniques/T1539/