AWS consoler detected

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a AWS consoler is seen in AWS CloudTrail logs.

Strategy

This rule monitors AWS CloudTrail logs for the GetCallerIdentity API call with the parameter aws_consoler. AWS consoler is a tool that converts AWS CLI credentials into AWS console access. While this tool can be used legitimately by teams, it may also be used by attackers to gain access to a victim’s console.

Triage and response

  1. Determine if your organization is using the AWS consoler.
  2. If it is an internal tool, notify the relevant team so that the leaked key can be triaged appropriately.
  3. If the results of the triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential.
    • Investigate any actions taken by the identity {{@userIdentity.arn}}.
    • Work with the relevant teams to remove the key from any source code repositories.