it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.

t1078
t1078.004
t1586
t1586.003
aws account
splunk

Techniques

T1078
T1078.004
T1586
T1586.003

Sample rules

AWS Successful Single-Factor Authentication

source: splunk
technicques:
- T1586
- T1586.003
- T1078
- T1078.004

Description

The following analytic identifies a successful Console Login authentication event against an AWS IAM user for an account without Multi-Factor Authentication enabled. This could be evidence of a misconfiguration, a policy violation or an account take over attempt that should be investigated

Detection logic

`cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No 
| stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion user_name userIdentity.arn 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_successful_single_factor_authentication_filter`