Ensure CloudWatch monitors AWS Management Console authentication requests that are not protected by Multi-Factor Authentication (MFA).
Using CloudWatch alarms to monitor single-factor authentication requests will increase visibility into your AWS accounts that are not protected by Multi-Factor Authentication. Note: For this rule, Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable Amazon Cloudtrail – CloudWatch integration.
To determine if there are any CloudWatch alarms set up to monitor AWS Console sign-in requests made without MFA, perform the following:
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send notification alerts whenever the necessary AWS CloudWatch alarm is triggered:
Step 2: Create the required CloudWatch metric filter and the CloudWatch alarm that will fire whenever an AWS Management Console sign-in request made without using MFA is send: