AWS IAM User Console Login from Multiple Geolocations

Last updated 5 days ago on 2026-06-29
Created 5 days ago on 2026-06-29

About

Identifies an IAM user that successfully signs in to the AWS Management Console from two or more distinct countries within a short window. A single user authenticating from multiple geographic locations in a brief period is physically implausible and indicates that the account's credentials or console session are being used from more than one place at once. This is a hallmark of adversary-in-the-middle (AiTM) phishing and session theft, where the legitimate user signs in from their location while the attacker replays the captured session or credentials from their own infrastructure. Because the attacker logs in from a different network, the divergent sign-in geolocations are the detectable signal even when MFA appears satisfied (AiTM relays the live MFA challenge). This is the CloudTrail-native analog of identity-provider impossible-travel sign-in detections.
Tags
Domain: CloudDomain: IdentityData Source: AWSData Source: Amazon Web ServicesData Source: AWS Sign-InUse Case: Identity and Access AuditTactic: Initial AccessTactic: Credential AccessLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

False Positive Examples
Legitimate users may appear in multiple countries within the window when using VPNs or proxies with exit nodes in different countries, when traveling near borders, or when mobile networks geolocate to different countries. Verify the source IPs and ASNs in "Esql.source_ip_values", confirm whether the locations are consistent with the user's expected activity, and exclude known VPN egress patterns after validation. Shared IAM users (an anti-pattern) used by multiple people will also match.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
FROM logs-aws.cloudtrail-* | WHERE event.provider == "signin.amazonaws.com" AND event.action == "ConsoleLogin" AND event.outcome == "success" AND aws.cloudtrail.user_identity.type == "IAMUser" AND source.geo.country_iso_code IS NOT NULL | STATS Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code), Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.as.organization.name), Esql.source_ip_values = VALUES(source.ip), Esql.source_geo_country_iso_code_values = VALUES(source.geo.country_iso_code), Esql.timestamp_min = MIN(@timestamp), Esql.timestamp_max = MAX(@timestamp) BY aws.cloudtrail.user_identity.arn, cloud.account.id | WHERE Esql.source_geo_country_iso_code_count_distinct >= 2 | KEEP aws.cloudtrail.user_identity.arn, cloud.account.id, Esql.source_geo_country_iso_code_count_distinct, Esql.source_as_organization_name_count_distinct, Esql.source_ip_values, Esql.source_geo_country_iso_code_values, Esql.timestamp_min, Esql.timestamp_max

Install detection rules in Elastic Security

Detect AWS IAM User Console Login from Multiple Geolocations in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).