A metric filter and alarm should exist for console logins without MFA

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail logs to CloudWatch logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).

Rationale

Monitoring for single-factor console logins increases visibility into accounts that are not protected by MFA.

impact

Remediation

Perform the following to set up the metric filter, alarm, SNS topic, and subscription:

From the command line

  1. Retrieve cloudtrail log group name

    aws cloudtrail describe-trails
    
  2. Create a metric filter based on the filter pattern provided, which checks for AWS Management Console sign-in without MFA and the <cloudtrail_log_group_name>.

    aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }'
    

    Alternatively, to reduce false positives in case single sign-on (SSO) is used in an organization:

    aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success") }'
    
    • Ensure CloudTrail is set to multi-region and isLogging is set True.
    • Ensure there is at least one Event Selector with IncludeManagementEvents set to True and ReadWriteType set to All.

    Note: You can choose your own metricName and metricNamespace strings. Use the same metricNamespace for all Foundations Benchmark metrics to group them together.

  3. Create an SNS topic that the alarm notifies.

    aws sns create-topic --name <sns_topic_name>
    
    • Note: You can execute this command once and then re-use the same topic for all monitoring alarms.
  4. Create an SNS subscription to the topic created in step 2.

    aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
    
    • Note: You can execute this command once and then re-use the SNS subscription for all monitoring alarms.
  5. Create an alarm that is associated with the CloudWatch logs metric filter created in step 1 and the SNS topic created in step 2.

    aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold -- evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>
    

References

  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html
  2. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html
  3. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html
  4. https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html

Additional Information

Configuring log metric filters and alarms on multi-region (global) CloudTrail logs provides the following benefits:

  • Ensures that activities from all regions (used as well as unused) are monitored.
  • Ensures that activities on all supported global services are monitored.
  • ensures that all management events across all regions are monitored -Filter pattern set to { ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success"} reduces false alarms raised when user logs in via SSO account.