AWS console login without MFA
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when any user logs in to your AWS console without multi-factor authentication.
Strategy
This rule monitors CloudTrail and detects when any IAMUser
or Root
user does a Console Login
, and @userIdentity.sessionContext.attributes.mfaAuthenticated
has a value of false
.
Notes:
- This rule triggers with a
High
severity if the user logging in is a Root
user. - This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.
Triage and response
- Reach out to the {{@usr.name}} to determine if the login was legitimate.
- Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in.
- If the login was legitimate, request that the user enables 2FA.
- If the login wasn’t legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.
- Review all user accounts to ensure MFA is enabled.
Changelog
3 March 2022 - Updated rule.