AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console

This report highlights a significant cloud security concern regarding AWS Console session traceability. Attackers can exploit default AWS configurations where the SourceIdentity parameter is not enabled, allowing them to obfuscate their identity during operations. This lack of traceability complicates detection and attribution efforts for security teams monitoring cloud environments. The primary threat involves defense evasion techniques that leverage legitimate cloud infrastructure to mask malicious activity. While no specific threat actor or malware family is identified, the technique poses a medium severity risk to organizations relying on AWS. Mitigation requires configuring SourceIdentity within AWS IAM roles and sessions to ensure accurate logging and accountability. Security teams should audit their cloud trails to verify identity metadata is captured, preventing attackers from hiding behind ambiguous session data during compromise incidents.

Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult.

This report highlights a significant cloud security concern regarding AWS Console session traceability. Attackers can exploit default AWS configurations where the SourceIdentity parameter is not enabled, allowing them to obfuscate their identity during operations. This lack of traceability complicates detection and attribution efforts for security teams monitoring cloud environments. The primary threat involves defense evasion techniques that leverage legitimate cloud infrastructure to mask malicious activity. While no specific threat actor or malware family is identified, the technique poses a medium severity risk to organizations relying on AWS. Mitigation requires configuring SourceIdentity within AWS IAM roles and sessions to ensure accurate logging and accountability. Security teams should audit their cloud trails to verify identity metadata is captured, preventing attackers from hiding behind ambiguous session data during compromise incidents. Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult. Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult.