AWS IAM Username Enumeration Vulnerability via Variable Response Times

A vulnerability in the AWS Identity and Access Management (IAM) Sign-in login flow prior to January 16, 2025, allowed for brute force enumeration of valid IAM usernames. By exploiting variable response times during login attempts, an actor could discern the existence of usernames within an AWS account. While this vulnerability could aid in identifying valid usernames, it is important to note that username information alone does not grant access to AWS resources. Full authentication, including account identifier, username, password, and multi-factor authentication (if enabled), is required to access an account.

Impact

Exploitation of this vulnerability could lead to unauthorized enumeration of valid IAM usernames, potentially facilitating targeted attacks or unauthorized access attempts.

Remediation

AWS has addressed this vulnerability by introducing a uniform delay in response times for authentication failures, eliminating any time variations that could be used to infer the validity of usernames. No customer action is required. Sign-in activity, including failed and successful events, can be monitored using AWS CloudTrail.