AWS IAM MFA Device Deactivation
Detection of AWS IAM MFA device deactivation via the `DeactivateMFADevice` API call, which could indicate an attempt to weaken account protections for privilege escalation or persistence.
This threat brief focuses on the detection of Multi-Factor Authentication (MFA) device deactivation within AWS Identity and Access Management (IAM). Adversaries, or compromised administrators, may attempt to deactivate MFA devices to weaken account protections, disable strong authentication, and potentially escalate privileges or establish persistence within the AWS environment. The detection strategy hinges on monitoring successful DeactivateMFADevice API calls, which represent the event when MFA protection is actively removed from an IAM user. Successful deactivation of MFA makes an AWS account more vulnerable to credential theft and unauthorized access, especially for privileged accounts. Defenders need to be aware of legitimate MFA deactivation events like device rotation or user offboarding, which can cause false positives.
Attack Chain
- Initial compromise of an IAM user's credentials through phishing or credential stuffing.
- Attacker logs into the AWS environment using compromised credentials.
- Attacker enumerates MFA devices associated with the target IAM user by using API calls like
ListMFADevices. - Attacker calls
DeactivateMFADeviceto remove the MFA requirement for the targeted user. - The AWS IAM service processes the
DeactivateMFADevicerequest and, if authorized based on the attacker's privileges, removes the MFA association. - Attacker may then create new access keys (
CreateAccessKey) or modify IAM policies (AttachUserPolicy) to further their access. - Attacker accesses sensitive AWS resources, such as S3 buckets or EC2 instances, without MFA.
- Attacker establishes persistence by creating backdoors or modifying IAM roles to maintain access after the initial compromise is detected.
Impact
A successful MFA deactivation can lead to unauthorized access to sensitive data, service disruption, or complete account takeover. The impact is magnified when privileged accounts are targeted. The lack of MFA significantly reduces the security posture of the affected AWS account, making it easier for attackers to move laterally within the AWS environment and exfiltrate data. Organizations relying heavily on AWS services could face significant financial losses and reputational damage.
Recommendation
- Deploy the Sigma rule
AWS IAM MFA Deactivationto detect successfulDeactivateMFADeviceAPI calls (see rule below). - Investigate any detected
DeactivateMFADeviceevents by reviewingaws.cloudtrail.user_identity.arnandsource.ipto determine the initiator and origin. - Enable AWS CloudTrail logging and monitor for IAM configuration changes, focusing on events related to MFA device management.
- Enforce MFA for all IAM users, particularly those with elevated privileges, using service control policies (SCPs).
- Implement automated alerts for unusual IAM activity, such as MFA deactivation outside of business hours or from unfamiliar IP addresses.
- Review CloudTrail logs for related API calls like
ListMFADevices,CreateAccessKey, orAttachUserPolicyfollowing theDeactivateMFADeviceevent.
Detection coverage 2
AWS IAM MFA Deactivation
mediumDetects the deactivation of an MFA device in AWS IAM via the DeactivateMFADevice API call.
AWS IAM MFA Deactivation by Unusual Source IP
highDetects the deactivation of an MFA device in AWS IAM from a source IP not in a whitelist.
Detection queries are available on the platform. Get full rules →