AWS IAM User with Console Access Login Without MFA
Identifies AWS IAM user authentication to the AWS Management Console without Multi-Factor Authentication (MFA). IAM users who can access the Console but haven't enabled MFA pose a security risk. These accounts could be compromised through credential stuffing, brute force attacks, or social engineering techniques.
Sigma rule (View on GitHub)
1title: AWS IAM User with Console Access Login Without MFA
2id: 77caf516-34e5-4df9-b4db-20744fea0a60
3status: experimental
4description: |
5 Identifies AWS IAM user authentication to the AWS Management Console without Multi-Factor Authentication (MFA).
6 IAM users who can access the Console but haven't enabled MFA pose a security risk. These accounts could be compromised through credential stuffing, brute force attacks, or social engineering techniques.
7references:
8 - https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
9 - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
10author: Thuya@Hacktilizer
11date: 2025-10-18
12tags:
13 - attack.initial-access
14 - attack.t1078.004
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection:
20 eventName: 'ConsoleLogin'
21 additionalEventData.MFAUsed: 'NO'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: medium
References
-
Datadog Security Labs is the place to read blog content about security research and tooling published by Datadog for the community.
Read More -
This page provides examples of console sign-in events including IAM user sign-in events, root user sign-in events, and federated user sign-in events.
Read More
Related rules
- Okta New Admin Console Behaviours
- Account Disabled or Blocked for Sign in Attempts
- Azure AD Only Single Factor Authentication Required
- Azure Subscription Permission Elevation Via ActivityLogs
- Failed Authentications From Countries You Do Not Operate Out Of