Skip to main content

User Calltype MFA

This alert occurs when Lacework detects a user accessing a service with MFA for the first time.

Why this Alert is Important

As an AWS administrator, you want to know when a new AWS user is logged in for the first time to ensure this is an authorized user. An unauthorized user with full administrative privileges can elevate the permissions to perform malicious actions or exfiltrate data.

Investigation

Use AWS CloudTrail, which logs activity in your AWS account to determine the IAM entity performing unauthorized operations. Additionally, service last accessed data in the AWS Console can help you audit permissions.

Resolution

The following are resolutions that you can implement:

  • Rotate and delete all AWS access keys.
  • Rotate any potentially unauthorized IAM user credentials.
  • Delete any unrecognized or unauthorized resources.
  • Implement the best practice of least privilege.

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html