Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm for AWS Management Console sign-in without MFA

This rule ensures the presence of a log metric filter and alarm for AWS Console sign-in without MFA.

RuleEnsure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description:

This rule helps to ensure the security of the AWS Management Console by detecting cases where users sign in without Multi-Factor Authentication (MFA) enabled. It aligns with the guidelines provided by the NIST Cybersecurity Framework (CSF) v1.

Troubleshooting Steps:

  1. 1.
    Verify that an AWS CloudTrail is enabled in your AWS account.
  2. 2.
    Ensure that all users are required to use MFA for console sign-in.
  3. 3.
    Check that a log metric filter and alarm exist for detecting sign-ins without MFA.

Necessary Codes:

CloudFormation Template Code:

Resources:
  LogMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName: !Ref LogGroupName
      FilterPattern: '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }'
      MetricTransformations:
        - MetricName: UnauthorizedConsolesWithoutMFA
          MetricNamespace: SigninMetrics
          MetricValue: "1"
          DefaultValue: 0

  Alarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: UnauthorizedConsolesWithoutMFAAlarm
      AlarmDescription: "Alarm triggered when unauthorized consoles are used without MFA"
      ComparisonOperator: GreaterThanThreshold
      EvaluationPeriods: 1
      Threshold: 0
      MetricName: UnauthorizedConsolesWithoutMFA
      Namespace: SigninMetrics
      Period: 300
      AlarmActions:
        - <ARN of the SNS topic or AWS Lambda function to notify>
      Dimensions:
        - Name: Username
          Value: <Your AWS account username>

Replace

<ARN of the SNS topic or AWS Lambda function to notify>
and
<Your AWS account username>
with the appropriate values.

CLI Command:

aws logs put-metric-filter --log-group-name <LogGroupName> --filter-name UnauthorizedConsolesWithoutMFAFilter --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }' --metric-transformations metricName=UnauthorizedConsolesWithoutMFA,metricNamespace=SigninMetrics,metricValue=1 --default-value 0

aws cloudwatch put-metric-alarm --alarm-name UnauthorizedConsolesWithoutMFAAlarm --alarm-description "Alarm triggered when unauthorized consoles are used without MFA" --comparison-operator GreaterThanThreshold --evaluation-periods 1 --threshold 0 --period 300 --alarm-actions <ARN of the SNS topic or AWS Lambda function to notify> --namespace SigninMetrics --metric-name UnauthorizedConsolesWithoutMFA --dimensions Name=Username,Value=<Your AWS account username>

Replace

<LogGroupName>
,
<ARN of the SNS topic or AWS Lambda function to notify>
, and
<Your AWS account username>
with the appropriate values.

Step-by-Step Guide for Remediation:

  1. 1.
    Sign in to the AWS Management Console and open the AWS CloudFormation service.
  2. 2.
    Click on "Create stack" to create a new CloudFormation stack.
  3. 3.
    Select "Upload a template file" and upload the CloudFormation template code provided above.
  4. 4.
    Click on "Next" to proceed.
  5. 5.
    Provide a stack name and fill in any necessary parameters.
  6. 6.
    In the "Capabilities" section, check the box for acknowledging the creation of IAM resources.
  7. 7.
    Click on "Next" and then "Create stack" to create the CloudFormation stack.
  8. 8.
    Wait for the stack creation to complete. This may take a few minutes.
  9. 9.
    Once the stack creation is complete, you will have a log metric filter and alarm set up to detect AWS Management Console sign-ins without MFA.
  10. 10.
    To test the setup, try signing in to the AWS Management Console without enabling MFA. You should receive an alarm notification indicating that an unauthorized sign-in without MFA has been detected.
  11. 11.
    If needed, you can configure the alarm to notify the appropriate individuals or teams by modifying the alarm actions.

By following these steps, you can ensure that a log metric filter and alarm are in place to detect and alert unauthorized AWS Management Console sign-ins without MFA, meeting the requirements of the NIST Cybersecurity Framework (CSF) v1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now