> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Console Sign In Without MFA Should Be Monitored

### More Info:

AWS Console Sign-In Requests Without MFA should be monitored using CloudWatch Events.

### Risk Level

Medium

### Address

Security

### Compliance Standards

CISAWSF, PCI, GDPR, APRA, MAS, NIST4, CISAWS, CBP, SOC2, HIPAA, ISO27001, HITRUST, NISTCSF, PCIDSS

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate "AWS Console Sign In Without MFA" using the AWS Console, follow these steps:

        1. Sign in to the AWS Management Console.

        2. Navigate to the [CloudWatch dashboard](https://console.aws.amazon.com/cloudwatch/).

        3. In the left navigation panel, select **Logs**.

        4. Select the log group created for your CloudTrail trail event logs and click **Create Metric Filter**.

        5. On the **Define Logs Metric Filter** page, paste the following pattern inside the **Filter Pattern** box:

        ```bash theme={null}
            { $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }
        ```

        6. Review the metric filter details and click **Assign Metric**.

        7. On the **Create Metric Filter and Assign a Metric** page:

           * Filter Name: `ConsoleSignInWithoutMfa`
           * Metric Namespace: `CloudTrailMetrics`
           * Metric Name: `ConsoleSignInWithoutMfaCount`
           * Metric Value: `1`
           * Click **Create Filter**.

        8. After creating the filter, click **Create Alarm** from the top-right menu.

        9. Configure the alarm:

           * Alarm Name: `ConsoleSignInWithoutMfaAlarm`
           * Threshold: `>= 1` (to trigger on every sign-in without MFA)
           * Notification: Select the SNS topic to receive alerts.
           * Period: `5 Minutes`
           * Statistic: `Sum`

        10. Review and click **Create Alarm** to finalize.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate "AWS Console Sign In Without MFA" using AWS CLI, follow these steps:

        1. Run the following command to create a CloudWatch metric filter:

        ```bash theme={null}
        aws logs put-metric-filter \
            --region us-east-1 \
            --log-group-name CloudTrail/CloudWatchLogGroup \
            --filter-name ConsoleSignInWithoutMfaCount \
            --filter-pattern '{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }' \
            --metric-transformations metricName=ConsoleSignInWithoutMfaCount,metricNamespace=CloudTrailMetrics,metricValue=1
        ```

        2. Run the following command to create a CloudWatch alarm:

        ```bash theme={null}
        aws cloudwatch put-metric-alarm \
            --region us-east-1 \
            --alarm-name ConsoleSignInWithoutMfaAlarm \
            --alarm-description "Triggered by sign-in requests made without MFA." \
            --metric-name ConsoleSignInWithoutMfaCount \
            --namespace CloudTrailMetrics \
            --statistic Sum \
            --comparison-operator GreaterThanOrEqualToThreshold \
            --evaluation-periods 1 \
            --period 300 \
            --threshold 1 \
            --alarm-actions arn:aws:sns:us-east-1:123456789012:SignInWithoutMfaAlarmSNSTopic
        ```
      </Accordion>

      <Accordion title="Using Python">
        To monitor and remediate this using Python, follow these steps:

        1. **Create an AWS CloudTrail Trail** to log sign-in events as described in the original documentation.

        2. Use AWS Lambda with Python to scan for sign-in events without MFA and trigger alerts via SNS:

        ```python theme={null}
        import boto3
        import json

        sns = boto3.client('sns')
        topic_arn = 'arn:aws:sns:us-east-1:123456789012:signin-alerts'

        def lambda_handler(event, context):
            for record in event['Records']:
                if record['eventName'] == 'ConsoleLogin':
                    event_data = json.loads(record['CloudTrailEvent'])
                    user_identity = event_data['userIdentity']
                    if 'sessionContext' in user_identity and 'attributes' in user_identity['sessionContext']:
                        attributes = user_identity['sessionContext']['attributes']
                        if 'mfaAuthenticated' in attributes and attributes['mfaAuthenticated'] == 'false':
                            message = 'User signed in without MFA: {}'.format(user_identity['userName'])
                            sns.publish(TopicArn=topic_arn, Message=message)
        ```

        3. Test the Lambda function.

           * Use the "Test" button in the Lambda function console to test the function.
           * Verify that you receive an email or text message when a sign-in event without MFA is detected.

        By following these steps, you can remediate the issue of AWS Console Sign In Without MFA Should Be Monitored using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html)
* [https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudWatchLogs/console-sign-in-without-mfa.html](https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudWatchLogs/console-sign-in-without-mfa.html)
