AWS IAM User Console Login Without MFA
This brief identifies successful logins to the AWS Management Console by standard IAM users without Multi-Factor Authentication (MFA). It focuses on the first observed occurrence within a 7-day history window for each user. An adversary who obtains a user's password can gain access if MFA is not enforced, representing a significant initial access vector. This event signals a critical posture gap that allows adversaries to achieve initial access using compromised credentials, leading to potential privilege escalation, data exfiltration, or resource deployment.
This brief describes the detection of a standard AWS Identity and Access Management (IAM) user successfully signing in to the AWS Management Console without Multi-Factor Authentication (MFA). This detection, a "New Terms" rule, fires only on the first observed occurrence within a configured 7-day history window for a given user. The absence of MFA significantly weakens security controls, as a username and password can be relatively easy for an adversary to obtain through methods such as phishing, credential stuffing, or password reuse. If MFA is not enforced, an attacker with compromised credentials can directly access the AWS environment. This detection is crucial for identifying posture gaps in an organization's cloud security, which, if left unaddressed, could lead to unauthorized initial access to critical cloud resources, potentially enabling further malicious activities like privilege escalation, data exfiltration, or deployment of rogue infrastructure. This rule specifically targets standard IAM users and excludes AWS root users and federated/SSO sign-ins, which have different MFA considerations.
Attack Chain
- Initial Access - Credential Acquisition: An adversary obtains valid AWS IAM user credentials (username and password) through various means, such as phishing campaigns targeting AWS users, credential stuffing attacks leveraging leaked credentials from other breaches, or brute-force password guessing.
- Authentication Attempt: The adversary attempts to sign in to the AWS Management Console using the compromised IAM user credentials.
- Bypass Defense - Lack of MFA: Due to the absence of enforced Multi-Factor Authentication for the targeted IAM user account, the AWS authentication process completes successfully with only the username and password.
- Initial Foothold: The adversary gains unauthorized initial access to the AWS environment via the Management Console, bypassing a critical security layer.
- Post-Login Activity: Upon gaining access, the adversary can explore the environment, escalate privileges, exfiltrate sensitive data, deploy malicious resources, or disrupt services, depending on the compromised user's permissions.
Impact
A successful login without MFA grants an adversary initial access to an organization's AWS environment, immediately exposing cloud resources to potential compromise. This can lead to unauthorized data access and exfiltration, resource manipulation, privilege escalation, and even complete control over the compromised AWS account. While this detection primarily signals a critical security posture gap rather than an immediate breach, neglecting to enforce MFA significantly increases the attack surface. Organizations without universal MFA enforcement will regularly see this event, indicating a systemic vulnerability that attackers can exploit at any time. The impact can range from minor data exposure to major financial losses and reputational damage, depending on the permissions of the compromised IAM user and the attacker's subsequent actions.
Recommendation
- Deploy the Sigma rule "AWS IAM User Console Login Without MFA" to your SIEM and tune for your environment to detect new occurrences.
- Investigate detected
aws.cloudtrailevents whereadditionalEventData.MFAUsedis "No" by reviewing thesource.ip,source.geo.country_name, anduser_agent.originalfields for anomalies relative to the user's normal sign-in patterns. - Correlate alerts from the Sigma rule with recent credential exposure alerts (e.g., password resets, phishing reports) involving the identified
user.name. - Enforce MFA for all IAM users capable of console access immediately using IAM policy conditions (
aws:MultiFactorAuthPresent) or an Organizational Service Control Policy (SCP) to remediate the posture gap highlighted by the Sigma rule. - For any
user.nameidentified by this detection, force a password reset and review recent console/API activity for the account to identify potential post-login malicious actions. - Consider migrating console access for users to federated/SSO sign-in with Identity Provider (IdP)-enforced MFA, which offers a more robust MFA solution than IAM user passwords.
Detection coverage 1
AWS IAM User Console Login Without MFA
mediumDetects a standard AWS IAM user successfully logging into the AWS Management Console without Multi-Factor Authentication (MFA).
Detection queries are available on the platform. Get full rules →