This rule ensures the presence of a log metric filter and alarm for AWS Console sign-in without MFA.
Rule | Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ Low |
Rule Description:
This rule helps to ensure the security of the AWS Management Console by detecting cases where users sign in without Multi-Factor Authentication (MFA) enabled. It aligns with the guidelines provided by the NIST Cybersecurity Framework (CSF) v1.
Troubleshooting Steps:
Necessary Codes:
CloudFormation Template Code:
Resources: LogMetricFilter: Type: AWS::Logs::MetricFilter Properties: LogGroupName: !Ref LogGroupName FilterPattern: '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }' MetricTransformations: - MetricName: UnauthorizedConsolesWithoutMFA MetricNamespace: SigninMetrics MetricValue: "1" DefaultValue: 0 Alarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: UnauthorizedConsolesWithoutMFAAlarm AlarmDescription: "Alarm triggered when unauthorized consoles are used without MFA" ComparisonOperator: GreaterThanThreshold EvaluationPeriods: 1 Threshold: 0 MetricName: UnauthorizedConsolesWithoutMFA Namespace: SigninMetrics Period: 300 AlarmActions: - <ARN of the SNS topic or AWS Lambda function to notify> Dimensions: - Name: Username Value: <Your AWS account username>
Replace
<ARN of the SNS topic or AWS Lambda function to notify>
and <Your AWS account username>
with the appropriate values.CLI Command:
aws logs put-metric-filter --log-group-name <LogGroupName> --filter-name UnauthorizedConsolesWithoutMFAFilter --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }' --metric-transformations metricName=UnauthorizedConsolesWithoutMFA,metricNamespace=SigninMetrics,metricValue=1 --default-value 0 aws cloudwatch put-metric-alarm --alarm-name UnauthorizedConsolesWithoutMFAAlarm --alarm-description "Alarm triggered when unauthorized consoles are used without MFA" --comparison-operator GreaterThanThreshold --evaluation-periods 1 --threshold 0 --period 300 --alarm-actions <ARN of the SNS topic or AWS Lambda function to notify> --namespace SigninMetrics --metric-name UnauthorizedConsolesWithoutMFA --dimensions Name=Username,Value=<Your AWS account username>
Replace
<LogGroupName>
, <ARN of the SNS topic or AWS Lambda function to notify>
, and <Your AWS account username>
with the appropriate values.Step-by-Step Guide for Remediation:
By following these steps, you can ensure that a log metric filter and alarm are in place to detect and alert unauthorized AWS Management Console sign-ins without MFA, meeting the requirements of the NIST Cybersecurity Framework (CSF) v1.