AWS console login without MFA

Cortex XDR Analytics Alert Reference by Alert name

Product: Cortex XDR
Last date published: 2026-05-18
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Initial Access (TA0001) Persistence (TA0003) Credential Access (TA0006)
ATT&CK Technique	Valid Accounts: Cloud Accounts (T1078.004) Account Manipulation: Additional Cloud Credentials (T1098.001) Multi-Factor Authentication Request Generation (T1621)
Severity	Informational

Description

An identity logged in to the AWS console without MFA.

Attacker's Goals

Bypassing multifactor authentication controls to gain unauthorized access to the cloud environment.

Investigative actions

Determine why MFA was not enforced and whether MFA was ever enabled.
Track any subsequent activity performed by the identity after the login to identify potential misuse.