Triage and Remediation
Remediation
Using Console
Using Console
To remediate “AWS Console Sign In Without MFA” using the AWS Console, follow these steps:
- Sign in to the AWS Management Console.
- Navigate to the CloudWatch dashboard.
- In the left navigation panel, select Logs.
- Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
- On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
- Review the metric filter details and click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page:
- Filter Name:
ConsoleSignInWithoutMfa - Metric Namespace:
CloudTrailMetrics - Metric Name:
ConsoleSignInWithoutMfaCount - Metric Value:
1 - Click Create Filter.
- Filter Name:
- After creating the filter, click Create Alarm from the top-right menu.
-
Configure the alarm:
- Alarm Name:
ConsoleSignInWithoutMfaAlarm - Threshold:
>= 1(to trigger on every sign-in without MFA) - Notification: Select the SNS topic to receive alerts.
- Period:
5 Minutes - Statistic:
Sum
- Alarm Name:
- Review and click Create Alarm to finalize.
Using CLI
Using CLI
To remediate “AWS Console Sign In Without MFA” using AWS CLI, follow these steps:
- Run the following command to create a CloudWatch metric filter:
- Run the following command to create a CloudWatch alarm:
Using Python
Using Python
To monitor and remediate this using Python, follow these steps:
- Create an AWS CloudTrail Trail to log sign-in events as described in the original documentation.
- Use AWS Lambda with Python to scan for sign-in events without MFA and trigger alerts via SNS:
-
Test the Lambda function.
- Use the “Test” button in the Lambda function console to test the function.
- Verify that you receive an email or text message when a sign-in event without MFA is detected.