Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm for Management Console sign-in without MFA

This rule ensures presence of log metric filter and alarm for Console sign-in without MFA.

RuleEnsure a log metric filter and alarm exist for Management Console sign-in without MFA
Frameworkcis_v130
Severity
Low

Rule Description

The rule requires that a log metric filter and alarm exist for Management Console sign-in without Multi-Factor Authentication (MFA) for cis_v130. This rule is designed to enhance the security of your AWS environment by ensuring that MFA is enabled for logging into the AWS Management Console.

Remediation Steps

To remediate this rule, you need to create a log metric filter and alarm that will trigger an alert whenever there is a sign-in without MFA.

1. Create a Log Metric Filter

  • Log in to the AWS Management Console.
  • Go to the CloudWatch service.
  • In the left navigation pane, click on 'Logs' and select the log group that contains your AWS Management Console sign-in events.
  • Click on 'Create Metric Filter'.
  • In the 'Filter pattern' section, enter the following filter pattern:
{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != "Yes") }
  • Select 'Assign a new metric to the filter' and click on 'Create New Metric'.
  • In the 'Metric namespace' field, enter a relevant namespace for your metric, such as 'Security/MFA'.
  • Provide a name for your metric, for example, 'ManagementConsoleSignInWithoutMFA'.
  • Optionally, provide a description for your metric.
  • Click on 'Create Filter'.

2. Create an Alarm

  • After creating the log metric filter, you can create an alarm that triggers an alert whenever the filter matches any log events.
  • In the CloudWatch service, click on 'Alarms' in the left navigation pane.
  • Click on 'Create Alarm'.
  • In the 'Create Alarm' wizard, specify the following details:
    • Select the 'Select metric' button.
    • Choose the namespace and metric name you provided while creating the log metric filter.
    • Configure the desired threshold conditions, for example, 'Whenever Maximum <= 0 for 1 consecutive period(s).'
    • Specify the actions to perform when the alarm state is triggered, such as sending notifications to relevant stakeholders.
    • Provide a name and description for your alarm.
    • Click on 'Create Alarm'.

Troubleshooting

If you encounter any issues during the creation of the log metric filter and alarm, here are a few troubleshooting tips:

  • Make sure you have the necessary permissions to create CloudWatch log metric filters and alarms. You need the
    cloudwatch:PutMetricFilter
    and
    cloudwatch:PutMetricAlarm
    permissions.
  • Ensure that you have selected the correct log group that contains your AWS Management Console sign-in events.
  • Double-check the filter pattern for your log metric filter to ensure it matches the expected events.
    { ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != "Yes") }
  • Validate that the desired metric namespace, name, and description are correctly provided while creating the log metric filter and alarm.
  • Verify that the alarm threshold conditions are appropriately set to trigger alerts based on your requirements.

By following these steps and troubleshooting tips, you can ensure the existence of a log metric filter and alarm for Management Console sign-in without MFA for cis_v130, thus enhancing the security of your AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now