CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured


A CloudWatch metric filter and alarm should be established for console logins not protected by multi-factor authentication (MFA). Monitoring for single-factor console logins increases visibility into accounts that are not protected by MFA.

Console Remediation Steps

This is a two part process. First, you create a Metric Filter for specific CloudTrail log events. Next, you create a CloudWatch alarm for the filter. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.

  • Step 1: To create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation, click Log Groups and select the desired log group. The log group must be assigned to a multi-region CloudTrail trail that has logging enabled (i.e., is in Logging status).

    • Select Metric filters > Create Metric Filter.

    • In Filter pattern, enter the following: { $.eventName = ConsoleLogin && $.additionalEventData.MFAUsed = "No" }

    • Click Next.

    • For Filter name, type ConsoleSignInWithoutMfa.

    • For Metric namespace, type CloudTrailMetrics.

    • For Metric name, type ConsoleSignInWithoutMfaCount.

    • For Metric value, type 1.

    • Click Next > Create metric filter.

  • Step 2: To create an Alarm:

    • Check the box next to the newly created metric filter and click Create alarm.

    • Select the Threshold type.

    • Define the alarm condition and threshold value.

    • Click Next.

    • In Alarm state trigger, select In alarm.

    • Select an existing SNS topic, create new topic, or use topic ARN. Note that the SNS topic must have at least one subscriber.

      • If you selected to create a new topic, enter a name in Create a new topic.

      • Enter an email address in Email endpoints that will receive the notification.

      • Click Create topic.

    • Click Next.

    • Enter an Alarm name.

    • Optionally, enter an alarm description.

    • Click Next > Create alarm.

CLI Remediation Steps