AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
Sigma rule (View on GitHub)
1title: AWS Successful Console Login Without MFA
2id: 77caf516-34e5-4df9-b4db-20744fea0a60
3status: experimental
4description: |
5 Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).
6 This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
7references:
8 - https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
9 - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
10author: Thuya@Hacktilizer, Ivan Saakov
11date: 2025-10-18
12modified: 2025-10-21
13tags:
14 - attack.initial-access
15 - attack.defense-evasion
16 - attack.persistence
17 - attack.privilege-escalation
18 - attack.t1078.004
19logsource:
20 product: aws
21 service: cloudtrail
22detection:
23 selection:
24 eventName: 'ConsoleLogin'
25 additionalEventData.MFAUsed: 'NO'
26 responseElements.ConsoleLogin: 'Success'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: medium
References
-
Datadog Security Labs is the place to read blog content about security research and tooling published by Datadog for the community.
Read More -
This page provides examples of console sign-in events including IAM user sign-in events, root user sign-in events, and federated user sign-in events.
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Root Credentials
- AWS SAML Provider Deletion Activity