AWS IAM user has signed in without MFA

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (should be achieved)
Rule ID: RTM-003

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine detected an AWS authentication session initiated by an IAM user without using MFA. An IAM user is an identity within your Amazon Web Services account that has specific custom permissions (for example, permissions to manage EC2 instances within a particular AWS region). You can use an IAM user name and password to sign in to your AWS Management Console to access all your resources - when the user has admin-level privileges (similar to root), or to access a certain service or resource - when the user has a specific set of privileges.

This rule can help you with the following compliance standards:

  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.


As a security best practice, it is always recommended to supplement your IAM user names and passwords by requiring a one-time passcode during authentication. This method is known as AWS Multi-Factor Authentication and allows you to enable extra security for your privileged IAM users. Multi-Factor Authentication (MFA) is a simple and efficient method of verifying your IAM user identity by requiring an authentication code generated by a virtual or hardware device on top of your usual access credentials (i.e. user name and password). The MFA device signature adds an additional layer of protection on top of your existing user credentials making your AWS account virtually impossible to breach without the unique code generated by the device.

Cloud Conformity recommends using Multi-Factor Authentication every time you sign in to your AWS account using a privileged IAM user (user with access to sensitive resources provisioned within your AWS account) in order to secure the access to your Amazon Web Services resources and adhere to security best practices.


Monitoring IAM access in real-time for vulnerability assessment is essential for keeping your AWS account safe. When an IAM user has administrator-level permissions (i.e. can modify or remove any resource, access any data in your AWS environment and can use any service or component – except the Billing and Cost Management service), just as with the AWS root account user, it is mandatory to secure the IAM user login with Multi-Factor Authentication.

Implementing MFA-based authentication for your IAM users represents the best way to protect your AWS resources and services against unauthorized users or attackers, as MFA adds extra security to the authentication process by forcing IAM users to enter a unique code generated by an approved authentication device.

Using Cloud Conformity RTMA MFA detection for IAM user authentication will help you enforce MFA-based access for all the privileged IAM users within your organization.


Publication date May 24, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

AWS IAM user has signed in without MFA

Risk level: High