Rule: Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
This rule requires the presence of a log metric filter and alarm for Management Console sign-in without MFA.
| Rule | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule Description:
The rule ensures that a log metric filter and alarm exist for Management Console sign-ins without Multi-Factor Authentication (MFA) for cis_v140 compliance. This compliance rule is included in the CIS Amazon Web Services Foundations benchmark. By enabling this rule, you can proactively detect any sign-ins to the AWS Management Console without MFA and take appropriate actions to enhance the security of your AWS account.
Troubleshooting Steps:
If you encounter any issues related to the log metric filter or alarm for Management Console sign-in without MFA, please follow these troubleshooting steps:
- 1.
Check CloudTrail Configuration: Verify that your AWS account has AWS CloudTrail enabled and properly configured. Ensure that CloudTrail is logging Management Console sign-in events.
- 2.
Check IAM Policy: Double-check the IAM policy associated with the IAM user/group/role that is attempting to sign in to the Management Console. Ensure that MFA is required for the respective IAM entities.
- 3.
Verify IAM Permissions: Make sure the IAM entity attempting to sign in has permission to create/update log metric filters and alarms in Amazon CloudWatch.
- 4.
Review Alarm Configuration: Check the configuration of the CloudWatch alarm associated with the log metric filter. Ensure that the alarm is set up correctly with appropriate threshold values and actions.
- 5.
Review Filter Pattern: Examine the log metric filter pattern to ensure it accurately captures Management Console sign-in events without MFA. Verify the filter pattern against the CloudTrail logs.
- 6.
Investigate CloudWatch Logs: If the log metric filter or alarm is not triggering as expected, review the CloudWatch logs for any potential errors or issues related to the log metric filter.
Necessary Codes:
No additional codes are required for this rule.
Step-by-Step Guide for Remediation:
Follow these steps to remediate the issue of Management Console sign-in without MFA for cis_v140:
- 1.
Enable CloudTrail: Ensure that AWS CloudTrail is enabled for your AWS account. If not, follow these steps:
- Open the AWS Management Console.
- Go to the CloudTrail service.
- Click on "Trails" in the left navigation panel.
- Click on "Create Trail" and configure the trail as per your requirements.
- Enable log file validation for better security.
- Click "Create" to enable CloudTrail.
- 2.
Create IAM Policy: Create an IAM policy that requires MFA for IAM entity sign-ins. Follow these steps to create the policy:
- Open the AWS Management Console.
- Go to the IAM service.
- Click on "Policies" in the left navigation panel.
- Click on "Create policy" and choose the JSON tab.
- Enter the policy document with the MFA requirement:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RequireMFAForConsoleAccess", "Effect": "Deny", "Action": [ "iam:CreateVirtualMFADevice", "iam:DeactivateMFADevice", "iam:DeleteVirtualMFADevice", "iam:EnableMFADevice", "iam:ResyncMFADevice" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }- Click "Review policy," provide a name and description for the policy.
- Review the policy details and click "Create policy" to create it.
- 3.
Attach IAM Policy: Attach the created IAM policy to IAM users, groups, or roles that require Management Console access. Follow these steps to attach the policy:
- Open the AWS Management Console.
- Go to the IAM service.
- Click on "Users," "Groups," or "Roles" in the left navigation panel.
- Select the appropriate IAM entity, click on the "Permissions" tab.
- Click on "Attach policies."
- Search for the policy you created, select it, and click "Attach policy" to attach it.
- 4.
Create Metric Filter: Create a CloudWatch log metric filter to capture Management Console sign-in events without MFA. Follow these steps to create the metric filter:
- Open the AWS Management Console.
- Go to the CloudWatch service.
- Click on "Logs" in the left navigation panel.
- Select the log group associated with your CloudTrail logs.
- Click on "Create metric filter."
- Define a filter pattern that captures sign-in events without MFA. For example, use the following pattern:
{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed != "Yes" }- Click on "Assign metric" and provide a name for the new metric.
- Configure other details like metric namespace, metric value, etc., as desired.
- Click on "Create filter" to create the metric filter.
- 5.
Create Alarm: Create a CloudWatch alarm for the log metric filter to trigger an action when a Management Console sign-in without MFA is detected. Follow these steps to create the alarm:
- Open the AWS Management Console.
- Go to the CloudWatch service.
- Click on "Alarms" in the left navigation panel.
- Click on "Create alarm."
- Select the metric filter you created in the previous step.
- Set threshold conditions and actions for the alarm based on your requirements.
- Configure the notification actions (e.g., sending an email, triggering an AWS Lambda function) to be taken when the alarm is triggered.
- Click on "Create alarm" to create the CloudWatch alarm.
- 6.
Test and Monitor: Test the setup by signing in to the AWS Management Console without MFA and observe if the alarm triggers and the desired actions are taken. Monitor the CloudWatch logs, events, and alarms to ensure ongoing compliance with this rule.
By following these steps, you can ensure that a log metric filter and alarm exist for Management Console sign-in without MFA for cis_v140 compliance in your AWS environment.