AWS IAM User Console Login Without MFA

Last updated 6 days ago on 2026-07-13
Created 6 days ago on 2026-07-13

About

Identifies the first observed occurrence, within the configured New Terms history window, of a regular IAM user successfully signing in to the AWS Management Console without multi-factor authentication. A password alone is a weaker control than password-plus-MFA, and an adversary who has phished, guessed, or otherwise obtained a user's password can sign in directly if MFA is not enforced for that user. This rule is scoped to standard IAM users only; it excludes the AWS root user (covered by a dedicated rule) and federated/SSO sign-ins (covered by a dedicated rule that also accounts for IdP-side MFA), since MFAUsed: No is expected in both of those cases for reasons unrelated to this gap.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS Sign-InUse Case: Identity and Access AuditTactic: Initial AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

False Positive Examples
Environments that do not enforce MFA for all IAM users will see this regularly. This is a New Terms rule, so it only fires once per `user.id` within the configured history window (7d); use it to drive MFA enrollment and enforcement rather than treating every occurrence as an incident, unless MFA is a mandated control in your environment.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail" and event.provider: "signin.amazonaws.com" and event.action: "ConsoleLogin" and event.outcome: "success" and aws.cloudtrail.user_identity.type: "IAMUser" and aws.cloudtrail.console_login.additional_eventdata.mfa_used: false

Install detection rules in Elastic Security

Detect AWS IAM User Console Login Without MFA in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).