User Calltype MFA
This alert occurs when Lacework detects a user accessing a service with MFA for the first time.
Why this Alert is Important
As an AWS administrator, you want to know when a new AWS user is logged in for the first time to ensure this is an authorized user. An unauthorized user with full administrative privileges can elevate the permissions to perform malicious actions or exfiltrate data.
Investigation
Use AWS CloudTrail, which logs activity in your AWS account to determine the IAM entity performing unauthorized operations. Additionally, service last accessed data in the AWS Console can help you audit permissions.
Resolution
The following are resolutions that you can implement:
- Rotate and delete all AWS access keys.
- Rotate any potentially unauthorized IAM user credentials.
- Delete any unrecognized or unauthorized resources.
- Implement the best practice of least privilege.
Related Information
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html