CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured

Description

A CloudWatch metric filter and alarm should be established for console logins not protected by multi-factor authentication (MFA). Monitoring for single-factor console logins increases visibility into accounts that are not protected by MFA.

Console Remediation Steps

  • This is a two part process. First, you create the Metric Filter.

    • Navigate to CloudWatch.

    • In the left navigation pane, select Logs.

    • Select the log group you created for the CloudTrail Log events.

    • Click Create Metric Filter.

    • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }

    • Choose Assign Metric.

    • For Filter Name, type ConsoleSignInWithoutMfa.

    • For Metric Namespace, type CloudTrailMetrics.

    • For Metric Name, type ConsoleSignInWithoutMfaCount.

    • Choose Show advanced metric settings.

    • For Metric Value, type 1.

    • Choose Create Filter.

  • Create an Alarm. After you create the metric filter, follow the steps below to create an alarm.

    • On the Filters for Log_Group_Name page, click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • In Name, enter Console Sign In Without MFA.

      • In Whenever is >= 1. For 1 consecutive period.

      • From the period drop-down, select 5 minutes.

      • From the Statistic drop-down, select Sum.

      • In the Actions section, in the Send notification to, select New List > enter a unique name for it, In Email List, type the email address to which you want notifications sent.

    • Click Create Alarm.

CLI Remediation Steps