← Back to Explore
sigmamediumHunting
AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
Detection Query
selection:
eventName: ConsoleLogin
additionalEventData.MFAUsed: NO
responseElements.ConsoleLogin: Success
condition: selection
Author
Thuya@Hacktilizer, Ivan Saakov
Created
2025-10-18
Data Sources
awscloudtrail
Platforms
aws
References
Tags
attack.initial-accessattack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1078.004
Raw Content
title: AWS Successful Console Login Without MFA
id: 77caf516-34e5-4df9-b4db-20744fea0a60
status: experimental
description: |
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).
This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
references:
- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
author: Thuya@Hacktilizer, Ivan Saakov
date: 2025-10-18
modified: 2025-10-21
tags:
- attack.initial-access
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
additionalEventData.MFAUsed: 'NO'
responseElements.ConsoleLogin: 'Success'
condition: selection
falsepositives:
- Unlikely
level: medium