Sign in Subscribe
Concepts

Enforcing MFA in AWS with CloudTrail Queries and Automated Runbooks

Andrios Robert

1 min read

An alert triggers. AWS CloudTrail shows a login event. The source IP is unfamiliar. Multi-Factor Authentication (MFA) wasn’t used. You need to know what happened and act fast.

Multi-Factor Authentication adds a second proof of identity to your AWS accounts. It blocks most credential theft attacks. But MFA only defends if used consistently. CloudTrail stores every login event, including whether MFA was present. A practical way to enforce MFA is to query CloudTrail, detect violations, and run a repeatable playbook.

Why MFA CloudTrail Queries Matter

CloudTrail logs have fields like userIdentity.sessionContext.attributes.mfaAuthenticated. If this value is “false,” the login bypassed MFA. By using Athena, CloudWatch Logs Insights, or AWS CLI queries, you can scan recent events for MFA failures. This is not theory—it is fast, cheap, and works across all AWS accounts.

Example Athena SQL to detect non-MFA logins in CloudTrail:

SELECT eventTime, userIdentity.userName, sourceIPAddress
FROM cloudtrail_logs
WHERE userIdentity.sessionContext.attributes.mfaAuthenticated = 'false'
AND eventName = 'ConsoleLogin';

Runbooks for MFA Enforcement

A runbook is a documented, automated sequence. For MFA violations, the runbook should:

  1. Identify the account and event details from the query.
  2. Disable or lock the IAM user until MFA is enabled.
  3. Notify security teams via SNS or Slack webhook.
  4. Record the incident in your tracking system.

Runbooks reduce response time, remove guesswork, and keep enforcement consistent. Integrating CloudTrail queries into runbooks ensures every violation is handled the same way.

Automating the Loop

Use EventBridge rules to trigger the runbook when a query detects MFA = false. Lambda functions can run the query, parse results, and call remediation scripts. This makes MFA compliance a background process, not a manual check.

Best Practices

  • Require MFA for all IAM users and root accounts.
  • Store CloudTrail logs in S3 with strong access controls.
  • Audit MFA compliance weekly, even if automation is in place.
  • Keep runbooks version-controlled and test them after each change.

If your AWS accounts don’t enforce MFA today, the risk window is wide open. With CloudTrail queries and automated runbooks, you can close that gap. See it live in minutes with hoop.dev and turn MFA compliance into a one-click reality.