Open menu
-->

Monitor for AWS Console Sign-In Requests Without MFA

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure CloudWatch monitors AWS Management Console authentication requests that are not protected by Multi-Factor Authentication (MFA).

This rule resolution is part of the Cloud Conformity Security Package

Using CloudWatch alarms to monitor single-factor authentication requests will increase visibility into your AWS accounts that are not protected by Multi-Factor Authentication. Note: For this rule, Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable Amazon Cloudtrail – CloudWatch integration.

Audit

To determine if there are any CloudWatch alarms set up to monitor AWS Console sign-in requests made without MFA, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel select Alarms.

04 Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon from the top-right menu, then select the Metric Name checkbox.

05 In the Metric Name column, verify each alarm available for the ConsoleSignInWithoutMfaCount metric. If ConsoleSignInWithoutMfaCount metric is not used by any of your existing alarms, the AWS Management Console sign-in requests made without using Multi-Factor Authentication protection are not monitored using AWS CloudWatch alarms.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-alarms-for-metric command (OSX/Linux/UNIX) to list all AWS CloudWatch alarms that are currently associated with the ConsoleSignInWithoutMfaCount metric, available within the selected AWS region:

aws cloudwatch describe-alarms-for-metric
	--region us-east-1
	--metric-name ConsoleSignInWithoutMfaCount
	--namespace AWS/CloudTrailMetrics

02 The command output should return an array containing the metadata for the requested CloudWatch alarm(s):

{
    "MetricAlarms": []
}

If the command output returns an empty array, i.e. [], for the value of the MetricAlarms attribute (as shown in the example above), there are no AWS CloudWatch alarms implemented to detect AWS Management Console sign-in requests made without using MFA protection.

03 Perform step no. 1 and 2 to repeat the entire audit process for other AWS regions.

Remediation / Resolution

Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send notification alerts whenever the necessary AWS CloudWatch alarm is triggered:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name for your new SNS topic then click Create Topic.

05 Open the newly created SNS topic configuration page by clicking on its Amazon Resource Name (ARN) link.

06 Under Subscription section click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 In the Endpoint box, enter the email address where you want to receive the CloudWatch alarm notifications then click Create Subscription to create the required subscription.

09 Use your preferred email client application to open the message received from AWS Notifications, then click on the appropriate link to confirm your new email subscription.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications whenever the required AWS CloudWatch alarm is triggered:

aws sns create-topic
	--name SignInWithoutMfaAlarmSNSTopic

02 The command output should return the Amazon Resource Name (ARN) for the newly created AWS SNS topic:

{
   "TopicArn": "arn:aws:sns:us-east-1:12345678901:SignInWithoutMfaAlarmSNSTopic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification endpoint (the email address provided as endpoint):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:SignInWithoutMfaAlarmSNSTopic
	--protocol email
	--notification-endpoint no-reply@cloudconformity.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the email subscription by validating the token sent to the notification endpoint selected (the command does not produce an output):

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:SignInWithoutMfaAlarmSNSTopic
	--token d119e15f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da71efa9431

Step 2: Create the required CloudWatch metric filter and the CloudWatch alarm that will fire whenever an AWS Management Console sign-in request made without using MFA is send:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, select Logs.

04 Select the log group created for your CloudTrail trail event logs and click Create Metric Filter button.

05 On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box: { $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }. This pattern will be used for scanning AWS CloudTrail logs for authentication-specific events named "ConsoleLogin" that have the "additionalEventData.MFAUsed" event attribute assigned.

06 Review the metric filter configuration details then click Assign Metric.

07 On the Create Metric Filter and Assign a Metric page, perform the following:

  1. In the Filter Name box, enter ConsoleSignInWithoutMfa as the name for the new filter.
  2. In the Metric Namespace box, type CloudTrailMetrics.
  3. In the Metric Name box, type ConsoleSignInWithoutMfaCount for the metric identifier.
  4. Click Show advanced metric settings to slide down the advanced settings section.
  5. In the Metric Value box, enter 1.

08 Review the details then click Create Filter to generate your new CloudWatch Logs metric filter.

09 On the current page click Create Alarm from the top-right menu.

10 In the Create Alarm dialog box, provide the following information:

  1. Within the Alarm Threshold section, in the Name and Description fields, enter a unique name (e.g. ConsoleSignInWithoutMfaAlarm) and a short description for the new CloudWatch alarm.
  2. Under Whenever: <Metric Name>, select >= (greater than or equal to) from the is dropdown list and enter 1 as the threshold value in the box next to the dropdown list to trigger the alarm every time a sign-in request made without using MFA is performed.
  3. In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu and choose the AWS SNS topic name created at Step 1 from Send notification to.
  4. In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic list.
  5. Review the CloudWatch alarm configuration details then click Create Alarm. Once created, the new alarm will be listed on the Alarms page. Once the monitoring data is loaded, the State (status) of the new CloudWatch alarm will change from INSUFFICIENT_DATA to OK.

Using AWS CLI

01 Run put-metric-filter command (OSX/Linux/UNIX) to create the necessary CloudWatch metric filter and associate it with the appropriate Amazon CloudTrail log group (the command does not produce an output):

aws logs put-metric-filter
	--region us-east-1
	--log-group-name CloudTrail/CloudWatchLogGroup
	--filter-name ConsoleSignInWithoutMfaCount
	--filter-pattern '{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }'
	--metric-transformations metricName=ConsoleSignInWithoutMfaCount,metricNamespace=CloudTrailMetrics,metricValue=1

02Run put-metric-alarm command (OSX/Linux/UNIX) to create the AWS CloudWatch alarm that will fire whenever a Management Console sign-in request made without using MFA is send to your AWS account (if successful, the command does not return an output):

aws cloudwatch put-metric-alarm
	--region us-east-1
	--alarm-name ConsoleSignInWithoutMfaAlarm
	--alarm-description "Triggered by sign-in requests made without MFA."
	--metric-name ConsoleSignInWithoutMfaCount
	--namespace CloudTrailMetrics
	--statistic Sum
	--comparison-operator GreaterThanOrEqualToThreshold
	--evaluation-periods 1
	--period 300
	--threshold 1
	--actions-enabled
	--alarm-actions arn:aws:sns:us-east-1:123456789012:SignInWithoutMfaAlarmSNSTopic

References

Publication date Sep 20, 2017