heroui logo

AWS IAM User Console Login Without MFA

Elastic Detection Rules

View Source
Summary
Detects the first observed instance within a 7-day history window where a standard AWS IAM user successfully signs into the AWS Management Console without MFA (MFAUsed: No) as recorded by CloudTrail (ConsoleLogin event, signin.amazonaws.com, aws.cloudtrail.user_identity.type: IAMUser, additional_eventdata.mfa_used: false). This rule excludes AWS root and federated/SSO sign-ins. Implemented as a New Terms rule, it fires once per user.id within the history window to drive MFA enrollment rather than treating every occurrence as an incident. The detection relies on CloudTrail data streams (logs-aws.cloudtrail-*) and is intended to highlight weak MFA posture and potential credential abuse. If triggered, it warrants MFA enforcement review and credential risk assessment, rather than immediate containment, depending on environment policy and user context.
Categories
  • Cloud
  • AWS
  • Identity Management
Data Sources
  • Cloud Service
  • Application Log
ATT&CK Techniques
  • T1078
  • T1078.004
Created: 2026-07-13