Skip to content

ConsoleLogin

AWS

ConsoleLogin

service: AWS - SignIn
techniques:

Event

Records a sign-in attempt to the AWS Management Console, capturing success or failure status and whether MFA was used.

Security Context

  • Compromised credentials or stolen tokens allow adversaries to operate as legitimate users, making detection significantly more difficult.

Log Source

CloudTrail

Sample Event

Hermione signs in to the AWS Management Console for production from her corporate laptop with hardware MFA enrolled — the canonical successful-sign-in shape AWS itself documents. Note eventType: "AwsConsoleSignIn" (not AwsApiCall) and the absence of requestID for sign-in events.

{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAHERM10NE000ADM1N",
"arn": "arn:aws:iam::555123456789:user/hermione",
"accountId": "555123456789",
"userName": "hermione"
},
"eventTime": "2026-04-15T13:42:11Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-1",
"sourceIPAddress": "198.51.100.42",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplee9aba7f8",
"MobileVersion": "No",
"MFAIdentifier": "arn:aws:iam::555123456789:mfa/hermione-yubikey",
"MFAUsed": "Yes"
},
"eventID": "90000000-0000-4000-8000-000000000110",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com"
}
}

MITRE ATT&CK Mapping

Tactics: Initial Access Stealth

Techniques:
  • T1078.004 — Cloud Accounts — Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of r...