CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured

Description

A CloudWatch metric filter and alarm should be established for console logins not protected by multi-factor authentication (MFA). Monitoring for single-factor console logins increases visibility into accounts that are not protected by MFA.

Console Remediation Steps

This is a two part process. First, you create the Metric Filter. Next, you create a CloudWatch alarm. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.

  • Create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation pane, select Logs.

    • Select the log group you created for the CloudTrail Log events.

    • Click Create Metric Filter.

    • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }

    • Choose Assign Metric.

    • For Filter Name, type ConsoleSignInWithoutMfa.

    • For Metric Namespace, type CloudTrailMetrics.

    • For Metric Name, type ConsoleSignInWithoutMfaCount.

    • Choose Show advanced metric settings.

    • For Metric Value, type 1.

    • Choose Create Filter.

  • Create an Alarm:

    • On the Filters for Log_Group_Name page, click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • In Name, enter Console Sign In Without MFA.

      • In Whenever, enter is >= 1 for 1 consecutive period.

      • From the period drop-down, select 5 minutes.

      • From the Statistic drop-down, select Sum.

      • In the Actions section, in the Send notification to field, select New List and enter a unique name for it.

      • In Email List, type the email address to which you want notifications sent.

    • Click Create Alarm.

CLI Remediation Steps