AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS Console Sign In Without MFA Should Be Monitored
More Info:
AWS Console Sign-In Requests Without MFA should be monitored using CloudWatch Events.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWS, CBP, SOC2, HIPAA, ISO27001, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
The misconfiguration you have mentioned can be remediated in AWS using the following steps:
- Log in to your AWS Management Console.
- Go to the AWS CloudTrail service.
- Click on the “Trails” option in the left-hand menu.
- Select the trail that you want to monitor for AWS console sign in without MFA.
- Click on the “Edit” button to modify the trail settings.
- Scroll down to the “Event selector” section and click on the “Advanced” option.
- In the “Data events” tab, select “Sign-in events” and then select “Console sign-in events”.
- In the “Management events” tab, select “Write events” and then select “UpdateSecurityConfiguration”.
- Click on the “Save” button to save the changes.
- Go to the AWS CloudWatch service.
- Click on the “Alarms” option in the left-hand menu.
- Click on the “Create alarm” button.
- In the “Create alarm” wizard, select “CloudTrail metric” as the alarm source.
- Select the “ConsoleSignInWithoutMFA” metric.
- Set the threshold and other alarm settings as per your requirements.
- Click on the “Create alarm” button to create the alarm.
With these steps, you will have set up monitoring for AWS console sign in without MFA and will receive alerts whenever this occurs.
The misconfiguration “AWS Console Sign In Without MFA Should Be Monitored” can be remediated in AWS by following the below steps:
- Open the AWS CLI and run the following command to create a CloudTrail trail:
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail --include-global-service-events
Note: Replace <trail-name>
with a name for your trail and <bucket-name>
with the name of an S3 bucket where you want to store the logs.
- Run the following command to enable the trail:
aws cloudtrail update-trail --name <trail-name> --is-organization-trail --enable-log-file-validation
Note: Replace <trail-name>
with the name of your trail.
- Run the following command to create a CloudWatch log group:
aws logs create-log-group --log-group-name <log-group-name>
Note: Replace <log-group-name>
with a name for your log group.
- Run the following command to create a CloudWatch log stream:
aws logs create-log-stream --log-group-name <log-group-name> --log-stream-name <log-stream-name>
Note: Replace <log-group-name>
with the name of your log group and <log-stream-name>
with a name for your log stream.
- Run the following command to create a CloudWatch log subscription filter:
aws logs put-subscription-filter --log-group-name <log-group-name> --filter-name <filter-name> --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != "Yes") }' --destination-arn <sns-topic-arn>
Note: Replace <log-group-name>
with the name of your log group, <filter-name>
with a name for your filter, and <sns-topic-arn>
with the ARN of an SNS topic where you want to receive notifications.
- Verify that the filter was created successfully by running the following command:
aws logs describe-subscription-filters --log-group-name <log-group-name>
Note: Replace <log-group-name>
with the name of your log group.
By following these steps, you will have successfully remediated the misconfiguration “AWS Console Sign In Without MFA Should Be Monitored” by monitoring AWS Console sign in without MFA using CloudTrail, CloudWatch Logs, and SNS.
To remediate the issue of AWS Console Sign In Without MFA Should Be Monitored, you can use AWS CloudTrail and AWS Lambda to monitor the sign-in events and trigger an alert if a user signs in without MFA.
Here are the step-by-step instructions to remediate this issue for AWS using Python:
-
Create an AWS CloudTrail trail to log sign-in events.
- Go to the AWS Management Console and select CloudTrail.
- Click on “Trails” in the left-hand menu and then click “Create trail”.
- Enter a name for the trail, select the S3 bucket where you want to store the logs, and select the log file format.
- Select “Global services” and “AWS Management Console” under “Data events”.
- Click “Create”.
-
Create an AWS Lambda function to monitor the CloudTrail logs.
- Go to the AWS Management Console and select Lambda.
- Click on “Create function” and select “Author from scratch”.
- Enter a name for the function, select “Python 3.8” as the runtime, and choose the execution role.
- Click “Create function”.
-
Add code to the Lambda function to check for sign-in events without MFA.
- Use the following Python code to check for sign-in events without MFA:
import json
def lambda_handler(event, context):
for record in event['Records']:
if record['eventName'] == 'ConsoleLogin':
event_data = json.loads(record['CloudTrailEvent'])
user_identity = event_data['userIdentity']
if 'sessionContext' in user_identity and 'attributes' in user_identity['sessionContext']:
attributes = user_identity['sessionContext']['attributes']
if 'mfaAuthenticated' in attributes and attributes['mfaAuthenticated'] == 'false':
print('User signed in without MFA: {}'.format(user_identity['userName']))
-
Set up an alert to notify you when a user signs in without MFA.
- Use Amazon SNS to send an email or text message when a sign-in event without MFA is detected.
- Create a new SNS topic and subscribe to it.
- Modify the Lambda function code to publish a message to the SNS topic when a sign-in event without MFA is detected.
import boto3
import json
sns = boto3.client('sns')
topic_arn = 'arn:aws:sns:us-east-1:123456789012:signin-alerts'
def lambda_handler(event, context):
for record in event['Records']:
if record['eventName'] == 'ConsoleLogin':
event_data = json.loads(record['CloudTrailEvent'])
user_identity = event_data['userIdentity']
if 'sessionContext' in user_identity and 'attributes' in user_identity['sessionContext']:
attributes = user_identity['sessionContext']['attributes']
if 'mfaAuthenticated' in attributes and attributes['mfaAuthenticated'] == 'false':
message = 'User signed in without MFA: {}'.format(user_identity['userName'])
sns.publish(TopicArn=topic_arn, Message=message)
-
Test the Lambda function.
- Use the “Test” button in the Lambda function console to test the function.
- Verify that you receive an email or text message when a sign-in event without MFA is detected.
By following these steps, you can remediate the issue of AWS Console Sign In Without MFA Should Be Monitored using Python.