Multiple Failed Login Attempts For IAM User

Overview

This detector creates an issue when there are multiple failed attempts to log in to the AWS Management Console for your account as an IAM user within a configurable period of time. This includes login attempts with valid usernames as well as invalid usernames, which are reported as "HIDDEN_DUE_TO_SECURITY_REASONS" from CloudTrail.

This detector specifically monitors AWS CloudTrail for 'ConsoleLogin' events with responseElements: {"ConsoleLogin": "Failure"}.

Failed login attempts could be an indication of an attacker attempting to discover credentials through brute force.

Vendor

AWS

Overview​

Vendor​

Severity​

Overview

Vendor

Severity