Rule: Ensure a Log Metric Filter and Alarm for AWS Management Console Sign-In Without MFA
This rule ensures a log metric filter and alarm exist for AWS Management Console sign-in without MFA.
| Rule | Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Low |
Rule Description:
This rule ensures that there is a log metric filter and alarm set up in AWS to detect and alert any AWS Management Console sign-in attempts that do not require Multi-Factor Authentication (MFA) for compliance with the General Data Protection Regulation (GDPR). It helps to maintain the security and integrity of sensitive data by ensuring that the necessary MFA authentication is in place for users accessing the AWS Management Console.
Troubleshooting Steps:
If there are any issues related to the log metric filter and alarm for AWS Management Console sign-in without MFA, follow these troubleshooting steps:
- 1.
Verify IAM User MFA Status: Check if the IAM users associated with the AWS Management Console sign-in attempts have MFA enabled. Ensure that all users requiring access to the console have MFA configured correctly.
- 2.
IAM User Permissions: Ensure that the IAM policy applied to the respective IAM users allows them to invoke the necessary AWS CloudWatch API actions for log metric filter and alarm creation. Validate the permissions for the IAM users creating and managing the log metric filter and alarm.
- 3.
Log Metric Filter Configuration: Review the configuration of the log metric filter to check if the correct filters and patterns are applied for identifying AWS Management Console sign-in events without MFA. Ensure that the log metric filter properly matches the log events related to console sign-in attempts.
- 4.
Alarm Configuration: Verify the settings of the configured alarm to check if the correct thresholds, actions, and notification targets are set up. Validate that the alarm triggers when the log metric filter detects an AWS Management Console sign-in attempt without MFA.
- 5.
CloudWatch Logs Integration: Ensure that the AWS Management Console sign-in logs are integrated with CloudWatch Logs and accessible for log metric filter creation. Verify if the logs are being collected and available in the CloudWatch Logs console.
Necessary Codes:
No specific code snippets are required for this rule/policy. However, the following AWS CLI commands can be used for managing IAM users and their MFA settings, configuring log metric filters, and creating alarms:
: Use this command to enable or disable MFA for an IAM user.aws iam update-user
: This command allows you to create a log metric filter for identifying specific log events.aws logs put-metric-filter
: Use this command to create an alarm that triggers based on the conditions defined for a specific metric.aws cloudwatch put-metric-alarm
Step-by-Step Guide for Remediation:
To ensure compliance with the rule and set up the necessary log metric filter and alarm for AWS Management Console sign-in without MFA, follow these steps:
- 1.
Access the AWS Management Console.
- 2.
Identify the IAM users who should have MFA enabled.
- 3.
For each user, enable MFA by following these steps:
- Go to the IAM service.
- Search and select the user for whom you want to enable MFA.
- Choose the "Security credentials" tab.
- Under "Multi-Factor Authentication (MFA)", choose "Manage MFA".
- Follow the prompts to set up MFA for the user.
- 4.
Configure the log metric filter by performing the following actions using AWS CLI or AWS Management Console:
- Identify the CloudWatch Logs group that contains the AWS Management Console sign-in logs.
- Create a log metric filter using the appropriate filter pattern to match sign-in events without MFA.
- Specify the destination metric and provide a name for the metric filter.
- 5.
Create an alarm based on the log metric filter:
- Define the conditions for the alarm, such as setting the threshold to a specific value that indicates a violation.
- Configure the actions to be triggered when the alarm state changes.
- Specify the notification targets, such as an SNS topic or an email address, to receive the alerts.
- 6.
Test the setup by attempting an AWS Management Console sign-in without MFA for a user. Ensure that the log metric filter triggers and the alarm state changes accordingly.
- 7.
Monitor the alarm and take appropriate action if an unauthorized sign-in attempt without MFA is detected.
By following these steps, you can fulfill the rule requirements and maintain compliance with the General Data Protection Regulation (GDPR) regarding AWS Management Console sign-in without MFA.