many service accounts configured within an aws infrastructure do not have multi factor authentication enabled. please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. it is also possible that the search detects users in your environment using single sign-on systems, since the mfa is not handled by aws.

aws instance
splunk

Techniques

Sample rules

Detect API activity from users without MFA

source: splunk
technicques:

Description

This search looks for AWS CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.

Detection logic

`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false 
| search NOT [
| inputlookup aws_service_accounts 
| fields identity 
| rename identity as user]
| stats  count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user 
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
| `detect_api_activity_from_users_without_mfa_filter`