Description:
AWS Failed Login Events may display IAMUser/<Account number> : HIDDEN_DUE_TO_SECURITY_REASONS as the user.
Explanation
Usually, the 'HIDDEN_DUE_TO_SECURITY_REASONS' is listed as the user when the sign-in failure is caused by an incorrect user name.
AWS GaurdDuty masks the username for failed logins as explained here.
Along with this, looking at this CloudTrail log file for sign-in failure caused by an incorrect user name from the 'Log events with CloudTrail' documentation by AWS
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"accountId": "123456789012",
"accessKeyId": "",
"userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"eventTime": "2015-03-31T22:20:42Z",
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"awsRegion": "us-east-2",
"sourceIPAddress": "192.0.2.101",
"userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0",
"errorMessage": "No username found in supplied account",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Failure"
},
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true",
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "a7654656-0417-45c6-9386-ea8231385051",
"eventType": "AwsConsoleSignin",
"recipientAccountId": "123456789012"
}
From the above raw CloudTrail log file snippet of the corresponding event, we can see that the log file itself contains the value of 'HIDDEN_DUE_TO_SECURITY_REASONS' as the username. It also contains the error message with a value of 'No username found in supplied account'.
As 'HIDDEN_DUE_TO_SECURITY_REASONS' is the userName returned by the actual CloudTrail event, this is the same value shown in the corresponding Lacework event.