Triggers
- An account enumerates users or obtains details on their own account, after which they request a token for console login and use that token to login to the console.
Possible Root Causes
- An attacker is pivoting from the AWS API to the AWS management console to continue their attack progression.
- An administrator has started to use the AWS management console in an unusual way.
Business Impact
- Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Review whether this account should have access to the console for their normal duties.
- If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.