Detection: IAM User Console Access Enabled
Overview
Detect when an IAM user was granted AWS Management Console access. Console access increases the risk of unauthorized changes or data exposure if proper security controls, such as MFA and strong password policies, are not enforced. Monitoring these configurations ensures that only authorized and secured users have console access.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.iam_user_login_profile_createdSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.iam_user_login_profile_created --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'userName' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'iam.amazonaws.com' and event_name = 'CreateLoginProfile' and error_code is null
order by event_time desc;