We are processing CloudTrail logs to check and highlight actions not protected by MFA.
When someone signs in as Root all the events with eventType
AwsApiCall
have sessionContext
populated. For events of type AwsConsoleAction
it is missing. Can we get the context and MFA state somehow?
(ConsoleAction events do have tlsDetails
which is missing for AwsApiCall
)