The Importance of Enforcing Multifactor Authentication in Your AWS Environment

Multifactor authentication (MFA) requires users to provide more than just a username and password to access resources. The additional information required may be an authentication code sent via text message, a push notification that requires approval, biometrics data, a secret question, or a key fob (among others). Together, the regular login and additional factor(s) provide increased security in both cloud and on-premises environments.

Why should you care? Because studies show that many—if not most—of the world's data breaches are attributable to compromised authentication. For example, reports showed that the leak of the three billion Yahoo! user accounts in 2013/4 was, in large part, due to compromised credentials. Such a mistake can cost a company dearly.

Bottom line: If you do not yet have multi-factor authentication (MFA) enabled in your AWS environment, go do that now and come back to finish reading this blog later. I'll wait. (Here's a great resource on how to enable MFA in AWS.)

How to Keep Your AWS Environment Protected on a Continuous Basis

Once you've enabled MFA and rolled out a strict authentication policy, it's time to ensure that no single-factor authenticated users escape your purview. If you're already using Splunk Enterprise Security (ES) and the Enterprise Security Content Update (ESCU), you can take advantage of a cool new detection search designed to help you monitor for users without MFA enabled in AWS.

The search, called "Detect users without MFA enabled in AWS" looks for successful API calls via CloudTrail. It filters out events triggered by known users or service accounts. Next, it outputs a table containing the event names and count, as well as the first and last time a specific user or service account is detected.

To enable this search, you'll need to install the Splunk App for AWS (version 5.1.0 or later) and the Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You'll populate the expanded identity lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Splunk ES.

Be prepared for false positives, such as legitimate activity detected by users/service accounts that are not listed in the AWS service accounts user file. If a user does turn out to be a verified service account, you can whitelist them by adding them to the AWS service accounts lookup table.

Keep An Eye Out for Unusual Access Control List Activity

Another cloud search included in this week’s ESCU release looks for AWS CloudTrail log entries that have recorded AWS API calls specifically for creating/modifying/replacing network access-control lists (ACLs). Spikes in these types of activities may indicate that an unauthorized user is trying to interfere with your ACLs.

This search requires the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later).

Install the Latest Version of ESCU

The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download Splunk ES Content Update v1.0.16 now.


The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content

Join the Discussion