AWSCloudTrail - Login to AWS Management Console without MFA

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Identifies successful AWS Management Console sign-ins where CloudTrail records a ConsoleLogin event without multi-factor authentication. The rule looks for logins where MFAUsed is not Yes and the console response is not Failure, which can indicate credential misuse or weak account protection.

Attribute	Value
Type	Analytic Rule
Solution	Amazon Web Services
ID	d25b1998-a592-4bc5-8a3a-92b39eedb1bc
Severity	Low
Status	Available
Kind	Scheduled
Tactics	DefenseEvasion, PrivilegeEscalation, Persistence, InitialAccess
Techniques	T1078
Required Connectors	AWS, AWSS3
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSCloudTrail	EventName == "ConsoleLogin" SessionIssuerUserName !contains "AWSReservedSSO"	✓	✓	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to Amazon Web Services