AWS MFA device disabled
Description
AlphaSOC detected the disabling of an AWS Multi-Factor Authentication (MFA)
device using the DeactivateMFADevice
or DeleteVirtualMFADevice
actions,
potentially indicating an adversary attempting to establish persistence in a
compromised AWS environment.
Impact
By disabling an MFA device, threat actors can more easily access already compromised resources. It allows them to maintain long-term access to the compromised account, potentially bypassing standard security measures and conduct further malicious activities, such as data exfiltration, resource manipulation, or lateral movement within the AWS environment.
Severity
Severity | Condition |
---|---|
Informational | An AWS MFA device was disabled |
Low | An AWS MFA device was disabled unexpectedly |
Investigation and Remediation
Investigate the AWS MFA device disabling by reviewing AWS CloudTrail logs to identify the IP address, user agent, and associated API calls. Verify whether the action was authorized and performed by a legitimate user. If unauthorized, re-enable MFA, reset the affected user's credentials, and review recent account activity for signs of compromise.
Known False Positives
- An administrator intentionally disabling MFA during account maintenance