MFA Device Deactivated

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: IAM-051

MFA device deactivated for IAM users. When DeactivateMFADevice event is triggered, the system decommissions the specified MFA device and removes it from association with the IAM user name for which it was originally enabled, removing the extra layer of protection, set for the IAM user to achieve stronger authentication. An IAM user is an identity created for your Amazon Web Services account that has specific custom permissions (for example, permissions to create and configure IAM roles). You can use an IAM user name and password to sign in to your AWS Management Console to access all or your AWS resources or just a certain service or resource (by implementing the principle of least privilege). As a security best practice, it is always recommended to supplement your usual IAM user names and passwords with a one-time passcode during authentication. This method is known as Multi-Factor Authentication and allows you to enable extra security for your Amazon IAM users. Multi-Factor Authentication (MFA) is a simple and efficient method of verifying your IAM user identity by requiring an authentication code generated by a virtual or hardware device, used in addition to your usual access credentials (i.e. username and password). The MFA device signature adds an extra layer of protection on top of your existing user credentials making your AWS account virtually impossible to breach without the unique code generated by the device. However, in large organizations or multi-tier AWS environments with tens or hundreds of users, to secure the access to Amazon cloud resources, it is absolutely necessary to monitor any request made to decommission the MFA device associated with the IAM user. For example, a privileged IAM user within your organization account is having trouble signing in with a Multi-Factor Authentication device so the user deactivates the device to be able to sign in without using MFA. The user might do this as a temporary solution while the MFA device is replaced. To ensure that a new MFA device is enabled as soon as possible and associated with the involved IAM user, you need to be notified first about the event. Cloud Conformity RTMA will detect the DeactivateMFADevice event and send notifications to the recipients defined within your Cloud Conformity account settings. The communication channels for sending these notifications can be easily configured within Cloud Conformity account. The list of supported communication channels that you can use to receive notification event alerts are Email, SMS, Slack, PagerDuty, ServiceNow and Zendesk. Cloud Conformity strongly recommends using this RTMA feature to ensure that Multi-Factor Authentication stays enabled 24/7 for privileged IAM users (users with access to certain AWS resources or that are exposed to sensitive data) in order to maintain a secure access to your Amazon Web Services account and adhere to security best practices.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.


Having an MFA-protected AWS account represents an efficient way to safeguard your cloud resources against malicious actors, as MFA adds extra security to the authentication process by forcing the IAM users to enter a unique passcode generated by an approved authentication device every time they sign in to your Amazon Web Services account. Cloud Conformity RTMA can detect any Multi-Factor Authentication decommission request performed by IAM users within your AWS account and notify you in real time through multiple predefined communication channels.


Publication date Sep 7, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

MFA Device Deactivated

Risk level: High