Loading

AWS IAM Virtual MFA Device Registration Attempt with Session Token

Detects attempts to create or enable a Virtual MFA device (CreateVirtualMFADevice, EnableMFADevice) using temporary AWS credentials (access keys beginning with ASIA). Session credentials are short-lived and tied to existing authenticated sessions, so using them to register or enable MFA devices is unusual. Adversaries who compromise temporary credentials may abuse this behavior to establish persistence by attaching new MFA devices to maintain access to high-privilege accounts despite key rotation or password resets.

Rule type: eql
Rule indices:

  • logs-aws.cloudtrail-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

Tags:

  • Domain: Cloud
  • Data Source: AWS
  • Data Source: Amazon Web Services
  • Data Source: AWS CloudTrail
  • Data Source: AWS IAM
  • Tactic: Persistence
  • Use Case: Identity and Access Audit
  • Resources: Investigation Guide

Version: 104
Rule authors:

  • Elastic

Rule license: Elastic License v2

Temporary credentials that start with the prefix ASIA are generated by the AWS Security Token Service (STS). These session tokens are used for short-lived operations and should not be used to modify or register IAM authentication mechanisms. This rule detects cases where an IAM user or role uses such temporary credentials to invoke either CreateVirtualMFADevice or EnableMFADevice.

  • Identify the actor and session context

    • Review aws.cloudtrail.user_identity.arn and aws.cloudtrail.user_identity.access_key_id to determine the identity and confirm the ASIA prefix.
    • This rule automatically filters out console login sessions using aws.cloudtrail.session_credential_from_console, so alerts indicate non-console temporary credential usage.
    • Check user_agent.original, source.ip, and cloud.region to determine if this activity originated from an expected host, VPN, or location.
    • Cross-reference with prior activity by this identity—especially GetSessionToken, AssumeRole, or GetCallerIdentity calls.

  • Correlate related IAM events

    • Search for subsequent or preceding calls to:
      • EnableMFADevice (after CreateVirtualMFADevice)
      • DeactivateMFADevice or DeleteVirtualMFADevice
      • ListMFADevices, ListUsers, or UpdateLoginProfile
    • Review whether new MFA devices were successfully enabled (event.outcome:success).

  • Assess session scope and privileges

    • Identify what IAM policies are attached to the user or role that issued this request.
    • If the temporary credentials were created via AssumeRole or GetSessionToken, check the originating principal’s permissions.

  • Investigate possible persistence

    • Look for new MFA devices listed for privileged users (e.g., account root or admin roles).
    • Review login history for those accounts following the MFA change.

  • Legitimate Administrative or Automated Actions
    Certain IAM administrative workflows or CI/CD automation tools may register or enable MFA devices using temporary session credentials. Confirm whether the calling principal is part of an authorized automation process or a known identity performing account configuration tasks.

  • Expected Console Behavior
    Console-based MFA operations are automatically filtered out by this rule using the aws.cloudtrail.session_credential_from_console field. Alerts from this rule indicate MFA operations performed with temporary credentials obtained outside of console login sessions.

  • Immediate containment

    • Revoke or expire the temporary credentials (aws sts revoke-session if applicable).
    • Disable or delete any newly created virtual MFA devices using DeleteVirtualMFADevice.
    • Rotate passwords and long-term access keys for the associated IAM users.

  • Investigation and scoping

    • Review CloudTrail logs for related IAM modifications (UpdateLoginProfile, AttachUserPolicy, CreateAccessKey).
    • Identify any new API keys or tokens created after the MFA registration.
    • Cross-check whether the attacker leveraged the new MFA binding for session persistence or login.

  • Recovery and hardening

    • Enforce the iam:EnableMFADevice and iam:CreateVirtualMFADevice permissions only for trusted admin roles.
    • Implement aws:MultiFactorAuthPresent conditions in IAM policies.
    • Monitor for any future ASIA credential–based IAM configuration changes.
iam where event.dataset == "aws.cloudtrail"
  and event.provider == "iam.amazonaws.com"
  and event.outcome == "success"
  and event.action in ("CreateVirtualMFADevice", "EnableMFADevice")
  and startsWith (aws.cloudtrail.user_identity.access_key_id, "ASIA")
  and not aws.cloudtrail.session_credential_from_console == "true"

Framework: MITRE ATT&CK