Successful Non-SAML Console Login Without MFA

This alert occurs when Lacework detects attempts to log in to AWS without using multi-factor authentication (MFA). This alert excludes logins performed via SAML authentication.

Why this alert is important

MFA is a recommended practice in AWS that enhances security by adding an additional layer of protection beyond username and password. By enabling MFA, users accessing the AWS Management Console must provide their username, password, and an authentication code from their AWS MFA device. These multiple factors work together to ensure increased security for your AWS account settings and resources.

When a user attempts to log in to AWS without using MFA, it indicates improper account security measures.

Investigation

Possible investigation steps include:

1. Investigate any related alerts associated with the user account during the past 48 hours. Look for any indicators of suspicious or unauthorized activities, such as unusual login patterns, multiple failed login attempts, or any other anomalous behavior.
2. Examine your logs to determine if similar login attempts without MFA have occurred in the past. Look for any recurring patterns or indicators of unauthorized access. This step helps establish whether the current activity is an isolated incident or part of a broader security issue.
3. Analyze the source IP address and geolocation of the user who issued the command. Compare this information with typical patterns for the calling user. If the IP address or geolocation appears unusual or inconsistent with the user's normal behavior, it may indicate unauthorized access or a compromised account.
4. Review the commands, API calls, and data management actions performed by the account in the last 24 hours. This analysis can provide insights into the intentions and potential impact of the unauthorized login attempt. Look for any suspicious or unauthorized activities, such as attempts to modify security settings, access sensitive data, or create new resources.
5. Contact the account owner or the responsible party to confirm whether they know the login activity. Verify if the login attempt was legitimate or if there is any indication of an account compromise. Prompt communication with the account owner can help clarify the situation and gather additional information.
6. If there are signs of a compromised account, investigate further to determine the extent of the compromise. Track the access to servers, services, and data with which the account has interacted in the last 24 hours. Identify any potentially compromised assets and assess the impact on your environment's security.

False positive alert

If the alert is determined to be a false positive, we recommend taking steps to enforce the use of MFA due to the significant risks it poses to the overall security of the cloud environment.

Resolution

To effectively resolve this alert, consider the following steps:

1. Assess the potential impact of the incident and prioritize actions accordingly. Consider the following steps to gain context:
   • Identify the account's role within the cloud environment, understanding its privileges and access levels.
   • Identify the criticality of the services or servers associated with the incident.
   • Collaborate with the IT team to identify and minimize user impact and ensure continued service availability.
   • Determine if the attacker has moved laterally within the environment and compromised other accounts, servers, or services.
   • Evaluate if there are any regulatory or legal ramifications associated with the unauthorized activity.
2. Enable multi-factor authentication for the affected user account to provide an additional layer of protection and help prevent unauthorized access to the AWS resources.
3. Refer to the security best practices outlined by AWS in their documentation. Implement these recommendations to enhance the overall security of your AWS environment.
4. Utilize the data gathered during the incident response to improve logging and audit policies, such as adjusting log retention periods, enabling comprehensive monitoring, and refining detection mechanisms.