AWS Successful Console Login Without MFA

Rule Info

Name
AWS Successful Console Login Without MFA
Author
Thuya@Hacktilizer, Ivan Saakov
Description
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
Reference
https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
Date
2025-10-18 00:00:00
Modified
2025-10-21 00:00:00
Id
77caf516-34e5-4df9-b4db-20744fea0a60
Tags
attack.initial-access attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1078.004
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=77caf516-34e5-4df9-b4db-20744fea0a60

Rule History

Author
Title
Date
Commit
phantinuss
chore: ci: bump validator version (#5722)
2025-10-23
c8075cab6
Ivan S
Merge PR #5021 from @saakovv - New rules for AWS
2025-10-22
3ae99cfc5
Swachchhanda Shrawan Poudel
Merge PR #5533 from @swachchhanda000 - fix: github reported issues
2025-10-18
de97c8322
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022