Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for Management Console Sign-in Without MFA Rule

This rule ensures the presence of a log metric filter and alarm for Management Console sign-in without MFA.

RuleEnsure a log metric filter and alarm exist for Management Console sign-in without MFA
Frameworkcis_v150
Severity
Low

Rule Description:

This rule is designed to ensure that a log metric filter and alarm are in place to detect and notify about Management Console sign-ins that do not require multi-factor authentication (MFA). It is based on the CIS Amazon Web Services (AWS) Foundations benchmark version 1.5.0.

Troubleshooting Steps:

If the log metric filter and alarm do not exist or are not functioning as expected, follow these troubleshooting steps:

  1. 1.

    Verify IAM Roles and Policies: Ensure that the IAM roles and policies associated with the AWS Management Console are correctly configured to enforce multi-factor authentication for all users.

  2. 2.

    Check CloudTrail Integration: Confirm that AWS CloudTrail is properly integrated and enabled for the AWS account. CloudTrail is essential for capturing and logging AWS Management Console sign-in events.

  3. 3.

    Review IAM User Policies: Check the IAM user policies to ensure that they require MFA for AWS Management Console access. If a policy is missing or incorrectly configured, update it accordingly.

  4. 4.

    Verify Alarm Configuration: Review the CloudWatch Alarm configuration to confirm that it is set up correctly. Check the alarm actions, thresholds, and notification settings to ensure they meet the desired criteria.

  5. 5.

    Test Sign-in Without MFA: As a final step, attempt to sign in to the AWS Management Console without using multi-factor authentication. This will help verify if the log metric filter and alarm trigger as expected. Note that this test should only be performed by an authorized entity with sufficient privileges.

Necessary Codes:

There are no specific codes associated with this rule. However, the following are relevant AWS CLI commands that can be used for troubleshooting and validation purposes:

  1. 1.
    Verify MFA Requirement for IAM Policies:
aws iam get-policy --policy-arn <policy-arn>
  1. 1.
    Check CloudTrail Integration:
aws cloudtrail describe-trails
  1. 1.
    Review IAM User Policies:
aws iam list-attached-user-policies --user-name <user-name>
  1. 1.
    Verify Alarm Configuration:
aws cloudwatch describe-alarms --alarm-name <alarm-name>

Step-by-Step Guide for Remediation:

Follow these steps to ensure compliance with this rule:

  1. 1.

    Open the AWS Management Console and navigate to the IAM service.

  2. 2.

    Review the IAM roles and policies associated with the AWS Management Console.

  3. 3.

    Ensure that all IAM policies associated with the AWS Management Console enforce multi-factor authentication (MFA) for all users.

  4. 4.

    If any policies are missing or incorrectly configured, update them accordingly.

  5. 5.

    Confirm that AWS CloudTrail is integrated and enabled for the AWS account.

  6. 6.

    If CloudTrail integration is not enabled, follow the AWS documentation to properly enable it.

  7. 7.

    Check the IAM user policies to ensure that they require MFA for AWS Management Console access.

  8. 8.

    If any policies are missing or incorrectly configured, update them accordingly.

  9. 9.

    Review the CloudWatch Alarm configuration to ensure that it is correctly set up.

  10. 10.

    If necessary, update the alarm actions, thresholds, and notification settings to align with the desired criteria.

  11. 11.

    Test the sign-in process to the AWS Management Console without using multi-factor authentication.

  12. 12.

    Monitor the CloudWatch Alarm and verify that it triggers the expected action or notification.

  13. 13.

    Once all steps are completed, regularly monitor and audit the IAM policies and alarm configurations to maintain compliance with this rule.

Is your System Free of Underlying Vulnerabilities?
Find Out Now