More Info:
AWS Console Sign-In Requests Without MFA should be monitored using CloudWatch Events.Risk Level
MediumAddress
SecurityCompliance Standards
CISAWSF, PCI, GDPR, APRA, MAS, NIST4, CISAWS, CBP, SOC2, HIPAA, ISO27001, HITRUST, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate “AWS Console Sign In Without MFA” using the AWS Console, follow these steps:
- Sign in to the AWS Management Console.
- Navigate to the CloudWatch dashboard.
- In the left navigation panel, select Logs.
- Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
- On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
- Review the metric filter details and click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page:
- Filter Name:
ConsoleSignInWithoutMfa - Metric Namespace:
CloudTrailMetrics - Metric Name:
ConsoleSignInWithoutMfaCount - Metric Value:
1 - Click Create Filter.
- Filter Name:
- After creating the filter, click Create Alarm from the top-right menu.
-
Configure the alarm:
- Alarm Name:
ConsoleSignInWithoutMfaAlarm - Threshold:
>= 1(to trigger on every sign-in without MFA) - Notification: Select the SNS topic to receive alerts.
- Period:
5 Minutes - Statistic:
Sum
- Alarm Name:
- Review and click Create Alarm to finalize.
Using CLI
Using CLI
To remediate “AWS Console Sign In Without MFA” using AWS CLI, follow these steps:
- Run the following command to create a CloudWatch metric filter:
- Run the following command to create a CloudWatch alarm:
Using Python
Using Python
To monitor and remediate this using Python, follow these steps:
- Create an AWS CloudTrail Trail to log sign-in events as described in the original documentation.
- Use AWS Lambda with Python to scan for sign-in events without MFA and trigger alerts via SNS:
-
Test the Lambda function.
- Use the “Test” button in the Lambda function console to test the function.
- Verify that you receive an email or text message when a sign-in event without MFA is detected.