Set up the cloudtrail integration.
Detect when a root user logs into the AWS console without multi-factor authentication.
Monitor CloudTrail and detect when any
@evt.name has a value of
@userIdentity.type has a value of
@additionalEventData.MFAUsed has a value of
Note: This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.
Note: There is a separate rule to detect Login without MFA for non-root users.