Skip to main content
Splunk Lantern

Verifying multifactor authentication usage

The CIS Benchmark recommends the use of Multi-Factor Authentication (MFA) on accounts with a console password (Section 1.2) and root accounts (1.14). Enabling MFA helps secure accounts, so conversely, the lack of MFA may result in accounts that are more easily compromised. You want to see if users are logging in without MFA.

Required data

AWS CloudTrail


Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=aws:cloudtrail eventName=ConsoleLogin
| stats count BY username, additionalEventData.MFAUsed

Search explanations

Splunk Search Explanation
sourcetype=aws:cloudtrail Search only AWS CloudTrail logs.
eventName=ConsoleLogin Search for login events.
| stats count BY username, additionalEventData.MFAUsed Calculate total logins and sort by user name and whether MFA was used.

Next steps

These additional Splunk resources might help you understand and implement these recommendations:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.