The CIS Benchmark recommends the use of Multi-Factor Authentication (MFA) on accounts with a console password (Section 1.2) and root accounts (1.14). Enabling MFA helps secure accounts, so conversely, the lack of MFA may result in accounts that are more easily compromised. You want to see if users are logging in without MFA.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=aws:cloudtrail eventName=ConsoleLogin | stats count BY username, additionalEventData.MFAUsed
|sourcetype=aws:cloudtrail||Search only AWS CloudTrail logs.|
|eventName=ConsoleLogin||Search for login events.|
|| stats count BY username, additionalEventData.MFAUsed||Calculate total logins and sort by user name and whether MFA was used.|
These additional Splunk resources might help you understand and implement these recommendations:
- Blog: Digital breadcrumbs for AWS
- Blog: The importance of enforcing multifactor authentication in your AWS environment
Need technical help? Explore our customer success resources to find education and training, engage experts through OnDemand services, view support options, and more.