DeactivateMFADevice
Event
Deactivates an MFA device associated with an IAM user, removing the MFA requirement for their authentication.
Security Context
- Deactivating MFA weakens authentication controls, allowing password-only access to accounts that previously required a second factor.
- An adversary with access to an IAM user’s credentials can deactivate MFA to maintain persistent access without needing the physical token or authenticator app.
- Correlate with subsequent console logins or API calls from the affected user to detect post-MFA-removal activity.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1556.006 — Multi-Factor Authentication — Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as Multi-Factor Authenticati...