DeactivateMFADevice
AWS
DeactivateMFADevice
Event
Deactivates an MFA device associated with an IAM user, removing the MFA requirement for their authentication.
Security Context
- Deactivating MFA weakens authentication controls, allowing password-only access to accounts that previously required a second factor.
- An adversary with access to an IAM user’s credentials can deactivate MFA to maintain persistent access without needing the physical token or authenticator app.
- Correlate with subsequent console logins or API calls from the affected user to detect post-MFA-removal activity.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — operating with compromised long-term credentials — calls DeactivateMFADevice against his own user to remove the MFA gate before pivoting to console-only flows. Same-user operation (userIdentity.userName == requestParameters.userName) is a strong T1556.006 signal. Source IP is the adversary’s primary egress; user-agent is the older Pacu-fingerprint CLI. mfaAuthenticated: "false" is consistent with the credential being a plain access-key session.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T19:11:34Z", "eventSource": "iam.amazonaws.com", "eventName": "DeactivateMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "userName": "draco", "serialNumber": "arn:aws:iam::555123456789:mfa/draco-yubikey" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000011001000", "eventID": "90000000-0000-4000-8000-000011001001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "iam.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1556.006 — Multi-Factor Authentication — Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.