This detection rule identifies instances where federated users log into the AWS Management Console without the use of multi-factor authentication (MFA), a potentially significant security risk. Federated users are given temporary credentials to access AWS services, and without MFA, their authentication process becomes less secure. The rule analyzes AWS CloudTrail logs to detect events corresponding to API calls through the sign-in provider, specifically focusing on action types that signify console logins by federated users. If the logs indicate that MFA was not used, the event gets flagged. The risk is that unauthorized users could exploit temporary credentials to gain access, potentially leading to further attacks. The guide includes investigative and remediation steps to validate potential security incidents, determine the legitimacy of access, and enforce MFA where necessary to mitigate future risks.