AWS Management Console sign-ins without MFA should be monitored

Docs > Plateforme de sécurité Datadog > OOTB Rules > AWS Management Console sign-ins without MFA should be monitored

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail logs to CloudWatch logs and establishing corresponding metric filters and alarms. It is recommended to set up a metric filter and alarm for console logins not protected by multi-factor authentication (MFA) to increase visibility into potentially at-risk accounts.

Remediation

For instructions on setting up CloudWatch metric filters and alarms for logins without MFA, refer to the AWS CloudWatch Alarms for CloudTrail User Guide.

aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> \
--filter-name <no_mfa_console_signin_metric> --metric-transformations \
metricName=<no_mfa_console_signin_metric>,metricNamespace=CISBenchmark,metricValue=1 \
--filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && \
($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success") }'

You can choose your own metricName and metricNamespace strings. Use the same metricNamespace for all Foundations Benchmark metrics to group them together.