AWS IAM Deactivation of MFA Device

Last updated 2 months ago on 2025-11-03

Created 6 years ago on 2020-05-26

About

Detects the deactivation of a Multi-Factor Authentication (MFA) device in AWS Identity and Access Management (IAM). MFA provides critical protection against unauthorized access by requiring a second factor for authentication. Adversaries or compromised administrators may deactivate MFA devices to weaken account protections, disable strong authentication, or prepare for privilege escalation or persistence. This rule monitors successful DeactivateMFADevice API calls, which represent the point at which MFA protection is actually removed.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailData Source: AWS IAMTactic: ImpactTactic: PersistenceLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

↳ Account Access Removal (T1531)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

↳ Modify Authentication Process (T1556)(external, opens in a new tab or window)

False Positive Examples

MFA device deactivation may occur legitimately during device rotation, user offboarding, or troubleshooting. For example, AWS requires deactivation of an existing MFA device before adding a replacement. These actions are often performed by administrators following approved change-control processes. To reduce false positives, validate whether the deactivation aligns with a documented workflow, known device replacement, or expected maintenance window. If performed outside of expected operational hours, by an unexpected user, or from an unfamiliar source IP, this event should be investigated for potential credential compromise or unauthorized tampering.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: aws.cloudtrail 
    and event.provider: iam.amazonaws.com 
    and event.action: DeactivateMFADevice 
    and event.outcome: success

Install detection rules in Elastic Security

Detect AWS IAM Deactivation of MFA Device in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).