AWS Suspect Console Pivot

View all detections
AWS Suspect Console Pivot


  • An account enumerates users or obtains details on their own account, after which they request a token for console login and use that token to login to the console.

Possible Root Causes

  • An attacker is pivoting from the AWS API to the AWS management console to continue their attack progression.
  • An administrator has started to use the AWS management console in an unusual way.

Business Impact

  • Lateral movement may indicate that an adversary has established a foothold in the environment and is progressing towards their objective, increasing the risk of material impact.

Steps to Verify

  • Investigate the account context that performed the action for other signs of malicious activity.
  • Review whether this account should have access to the console for their normal duties.
  • If review indicates possible malicious actions or high-risk configuration, revert configuration and disable credentials associated with this alert then perform a comprehensive investigation.