AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS Console Sign In Without MFA Should Be Monitored
More Info:
AWS Console Sign-In Requests Without MFA should be monitored using CloudWatch Events.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWSF, PCI, GDPR, APRA, MAS, NIST4, CISAWS, CBP, SOC2, HIPAA, ISO27001, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate “AWS Console Sign In Without MFA” using the AWS Console, follow these steps:
-
Sign in to the AWS Management Console.
-
Navigate to the CloudWatch dashboard.
-
In the left navigation panel, select Logs.
-
Select the log group created for your CloudTrail trail event logs and click Create Metric Filter.
-
On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box:
{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }
-
Review the metric filter details and click Assign Metric.
-
On the Create Metric Filter and Assign a Metric page:
- Filter Name:
ConsoleSignInWithoutMfa - Metric Namespace:
CloudTrailMetrics - Metric Name:
ConsoleSignInWithoutMfaCount - Metric Value:
1 - Click Create Filter.
- Filter Name:
-
After creating the filter, click Create Alarm from the top-right menu.
-
Configure the alarm:
- Alarm Name:
ConsoleSignInWithoutMfaAlarm - Threshold:
>= 1(to trigger on every sign-in without MFA) - Notification: Select the SNS topic to receive alerts.
- Period:
5 Minutes - Statistic:
Sum
- Alarm Name:
-
Review and click Create Alarm to finalize.
To remediate “AWS Console Sign In Without MFA” using AWS CLI, follow these steps:
- Run the following command to create a CloudWatch metric filter:
aws logs put-metric-filter \
--region us-east-1 \
--log-group-name CloudTrail/CloudWatchLogGroup \
--filter-name ConsoleSignInWithoutMfaCount \
--filter-pattern '{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }' \
--metric-transformations metricName=ConsoleSignInWithoutMfaCount,metricNamespace=CloudTrailMetrics,metricValue=1
- Run the following command to create a CloudWatch alarm:
aws cloudwatch put-metric-alarm \
--region us-east-1 \
--alarm-name ConsoleSignInWithoutMfaAlarm \
--alarm-description "Triggered by sign-in requests made without MFA." \
--metric-name ConsoleSignInWithoutMfaCount \
--namespace CloudTrailMetrics \
--statistic Sum \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--period 300 \
--threshold 1 \
--alarm-actions arn:aws:sns:us-east-1:123456789012:SignInWithoutMfaAlarmSNSTopic
To monitor and remediate this using Python, follow these steps:
-
Create an AWS CloudTrail Trail to log sign-in events as described in the original documentation.
-
Use AWS Lambda with Python to scan for sign-in events without MFA and trigger alerts via SNS:
import boto3
import json
sns = boto3.client('sns')
topic_arn = 'arn:aws:sns:us-east-1:123456789012:signin-alerts'
def lambda_handler(event, context):
for record in event['Records']:
if record['eventName'] == 'ConsoleLogin':
event_data = json.loads(record['CloudTrailEvent'])
user_identity = event_data['userIdentity']
if 'sessionContext' in user_identity and 'attributes' in user_identity['sessionContext']:
attributes = user_identity['sessionContext']['attributes']
if 'mfaAuthenticated' in attributes and attributes['mfaAuthenticated'] == 'false':
message = 'User signed in without MFA: {}'.format(user_identity['userName'])
sns.publish(TopicArn=topic_arn, Message=message)
-
Test the Lambda function.
- Use the “Test” button in the Lambda function console to test the function.
- Verify that you receive an email or text message when a sign-in event without MFA is detected.
By following these steps, you can remediate the issue of AWS Console Sign In Without MFA Should Be Monitored using Python.