Classification:
compliance
Framework:
cis-aws
Control:
cis-3.2
Set up the cloudtrail integration.
Detect when a root user logs into the AWS console without multi-factor authentication.
Monitor CloudTrail and detect when any @evt.name
has a value of Console Login
, @userIdentity.type
has a value of Root
, and @additionalEventData.MFAUsed
has a value of no
.
Note: This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.
Note: There is a separate rule to detect Login without MFA for non-root users.
このページ