AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
Sigma rule (View on GitHub)
1title: AWS Successful Console Login Without MFA
2id: 77caf516-34e5-4df9-b4db-20744fea0a60
3status: experimental
4description: |
5 Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).
6 This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
7references:
8 - https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
9 - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
10author: Thuya@Hacktilizer, Ivan Saakov
11date: 2025-10-18
12modified: 2025-10-21
13tags:
14 - attack.initial-access
15 - attack.t1078.004
16logsource:
17 product: aws
18 service: cloudtrail
19detection:
20 selection:
21 eventName: 'ConsoleLogin'
22 additionalEventData.MFAUsed: 'NO'
23 responseElements.ConsoleLogin: 'Success'
24 condition: selection
25falsepositives:
26 - Unlikely
27level: medium
References
-
Datadog Security Labs is the place to read blog content about security research and tooling published by Datadog for the community.
Read More -
This page provides examples of console sign-in events including IAM user sign-in events, root user sign-in events, and federated user sign-in events.
Read More
Related rules
- Okta New Admin Console Behaviours
- Account Disabled or Blocked for Sign in Attempts
- Azure AD Only Single Factor Authentication Required
- Azure Subscription Permission Elevation Via ActivityLogs
- Failed Authentications From Countries You Do Not Operate Out Of