some legitimate administrative workflows or ci/cd automation pipelines may temporarily configure or re-enable mfa devices using session-based credentials. validate the calling identity’s purpose, source ip, and user agent to confirm whether this activity was authorized. additionally, when a user creates or enables a virtual mfa device through the aws management console, the underlying cloudtrail event will also show a temporary credential (access key id beginning with asia), because the console itself issues short-lived sts session credentials for every logged-in user. these events are expected and should not be considered suspicious.

t1098
t1556
aws
elastic

Techniques

T1098
T1556

Sample rules

AWS IAM Virtual MFA Device Registration Attempt with Session Token

source: elastic
technicques:
- T1098
- T1556

Description

Detects attempts to create or enable a Virtual MFA device (CreateVirtualMFADevice, EnableMFADevice) using temporary AWS credentials (access keys beginning with ASIA). Session credentials are short-lived and tied to existing authenticated sessions, so using them to register or enable MFA devices is unusual. Adversaries who compromise temporary credentials may abuse this behavior to establish persistence by attaching new MFA devices to maintain access to high-privilege accounts despite key rotation or password resets.

Detection logic

iam where event.dataset == "aws.cloudtrail"
  and event.provider == "iam.amazonaws.com"
  and event.outcome == "success"
  and event.action in ("CreateVirtualMFADevice", "EnableMFADevice")
  and startsWith (aws.cloudtrail.user_identity.access_key_id, "ASIA")