Skip to main content


Splunk Lantern

Verifying multifactor authentication usage


  • Product: Splunk Enterprise or Splunk Cloud Platform
  • Feature: Search
  • Function: Auditing AWS logins


The CIS Benchmark recommends the use of Multi-Factor Authentication (MFA) on accounts with a console password (Section 1.2) and root accounts (1.14). Enabling MFA helps secure accounts, so conversely, the lack of MFA may result in accounts that are more easily compromised. You want to see if users are logging in without MFA.


To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search:
    sourcetype=aws:cloudtrail eventName=ConsoleLogin
    | stats count BY username, additionalEventData.MFAUsed


Splunk Search Explanation
sourcetype=aws:cloudtrail Search only AWS CloudTrail logs.
eventName=ConsoleLogin Search for login events.
| stats count BY username, additionalEventData.MFAUsed Calculate total logins and sort by user name and whether MFA was used.

Additional resources

These additional Splunk resources might help you understand and implement these recommendations:

  • Was this article helpful?