Ensure Rule: Log Metric Filter and Alarm Exist for AWS Management Console Sign-In Without MFA
This rule ensures a log metric filter and alarm exist for AWS Management Console sign-in without MFA.
| Rule | Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm exist for AWS Management Console sign-in without Multi-Factor Authentication (MFA) for the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) v1. It helps organizations adhere to the security best practices outlined in the CSF by monitoring and alerting on any unauthorized access to the AWS Management Console without using MFA.
Troubleshooting Steps:
If the log metric filter and alarm for AWS Management Console sign-in without MFA do not exist, follow these troubleshooting steps:
- 1.
Verify IAM User or Role: Ensure that the IAM user or role you are using has sufficient permissions to create and configure log metric filters and alarms for CloudWatch.
- 2.
Check CloudTrail Configuration: Make sure CloudTrail is enabled in your AWS account and is configured to log management events related to AWS Management Console sign-in.
- 3.
Confirm Log Group: Verify that the required log group exists in Amazon CloudWatch Logs. If it doesn't exist, create one using the CloudWatch console or CLI.
- 4.
Check Filters and Alarms: Review existing log metric filters and alarms to ensure that none of them already monitor AWS Management Console sign-in without MFA.
- 5.
Verify Alarm Actions: Check the configured actions for the alarm to ensure that they send notifications to the appropriate channels, such as SNS topics, email, or other desired destinations.
- 6.
Test the Rule: Attempt an AWS Management Console sign-in without using MFA and verify if the log metric filter triggers the alarm as expected.
Necessary Code:
No specific code is required for this rule as it focuses on configuring log metric filters and alarms using AWS CloudWatch console or API.
Remediation Steps:
To implement this rule and ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA, follow the step-by-step guide below:
- 1.
Log in to the AWS Management Console.
- 2.
Open the Amazon CloudWatch console.
- 3.
In the navigation pane, click on "Logs" and then select "Log groups".
- 4.
Verify if the required log group exists. If not, click on "Create log group" and provide a name for the log group.
- 5.
Select the log group for which you want to create the log metric filter and alarm.
- 6.
Click on "Create metric filter" from the Actions menu.
- 7.
On the "Create metric filter" page, provide a filter pattern that matches the AWS Management Console sign-in events without MFA. For example, you can use the following filter pattern:
{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed = false) }
- 1.
Click on "Assign metric" and then choose "Create new metric" to create a new metric based on the filter pattern.
- 2.
Provide a name for the metric, select a namespace (e.g., "AWS/ConsoleSignInWithoutMFA"), and set a unit (e.g., "Count").
- 3.
Click on "Create filter".
- 4.
After creating the log metric filter, go back to the log group's details page and select "Create alarm" from the Actions menu.
- 5.
Configure the alarm settings as per your requirements. For example, set the appropriate threshold to trigger the alarm, define the period, and specify the actions to be taken when the alarm state is triggered (e.g., sending a notification to an SNS topic).
- 6.
Click on "Create alarm" to complete the process.
- 7.
Once the alarm is created, test it by signing in to the AWS Management Console without using MFA. The alarm should trigger, and you should receive a notification based on the configured actions.
By following these remediation steps, you will ensure the existence of a log metric filter and alarm for AWS Management Console sign-in without MFA, aligning with the NIST Cybersecurity Framework (CSF) v1 recommendation.