Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.
Recommended Mitigation
Create a metric filter and alarm for console logins that are not protected by multi-factor authentication (MFA).