An attacker stripping MFA off an account is exactly the kind of thing you want to catch. Remove the second factor, and a stolen password is the whole game. So you write the rule: alert when someone calls DeactivateMFADevice or DeleteVirtualMFADevice.
It fires. Good. Then it fires again. Then it fires every single time someone leaves the company.
Because AWS removes MFA for you when you delete a user, and CloudTrail records the cleanup as the same event an attacker would generate.
The detection that looks correct
MFA removal maps cleanly to a real technique – credential access, account manipulation, T1556. Alerting on it is a defensible call that passes review without a second look. The rule is about as simple as detection gets:








