ConsoleLogin
AWS
ConsoleLogin
Event
Records a sign-in attempt to the AWS Management Console, capturing success or failure status and whether MFA was used.
Security Context
- Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.
Log Source
CloudTrail
Sample Event
Hermione signs in to the AWS Management Console for production from her corporate laptop with hardware MFA enrolled — the canonical successful-sign-in shape AWS itself documents. Note eventType: "AwsConsoleSignIn" (not AwsApiCall) and the absence of requestID for sign-in events.
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "AIDAHERM10NE000ADM1N", "arn": "arn:aws:iam::555123456789:user/hermione", "accountId": "555123456789", "userName": "hermione" }, "eventTime": "2026-04-15T13:42:11Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "198.51.100.42", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplee9aba7f8", "MobileVersion": "No", "MFAIdentifier": "arn:aws:iam::555123456789:mfa/hermione-yubikey", "MFAUsed": "Yes" }, "eventID": "90000000-0000-4000-8000-000000000110", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" }}MITRE ATT&CK Mapping
Tactics: Initial Access Stealth
Techniques:
- T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...