Profile Applicability: Level 1


Description:

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).

MFA adds extra security because it requires users to provide unique authentication from an AWS-supported MFA mechanism in addition to their regular sign-in credentials when they access AWS websites or services.

Rationale:

Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA. MFA is worked as an extra layer to protect our AWS resources, so we need to log metric filters and alarms which notify these users to log in through the console without MFA.

Impact:

If log filter metrics and the alarm is enabled for management console sign-in without MFA notifying us, we can be easily notified that any user account or root account is not protected through MFA.

Default Value:

By default, console sign-in without MFA is not enabled.


Pre-Requisite:

  1. Cloud trails Must be enabled in your AWS account

  2. You must contain SNS Topic to get notification


Remediation:

Test Plan:

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/
  2. In the left navigation panel click on Log groups and select the log group you want to examine
  3. Go to the metric filter tab and Search for the metric filter related to console sign-in failures

If the particular metric filter is not found it means AWS Management Console sign-in requests made without using Multi-Factor Authentication protection are not monitored.


Using AWS CLI:

To describe the Cloudwatch metrics

aws cloudwatch describe-metric-filters --log-group-name <value>


Implementation Steps:

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at  https://console.aws.amazon.com/cloudwatch/

  2. In the left navigation, pane click on Log groups under Logs

  3. Select the log group for which you want to create a metric filter 

  4. Click on the Actions drop-down menu, select create a metric filter

  5. In the Create metric filter page, we define the filter pattern as { ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") } and then click on Next button

  6. On Assign metric page, under the Create filter name give the filter name as console_signin-without MFA

  7. Under the Metric Details section, provide the details required like Metric namespace, Metric name, metric value, and Default value(optional), and then click on the Next button 

  8. Review the details provided and click on Create metric filter button to create it

  9. After clicking on create metric filter You will see a metric filters page, Select the metric filter you have created and click on create an alarm on the right side of the Metric filters section.

  10. After clicking on create alarm you will be redirected to the next tab to Create Alarm, define the following:-

    • Metric name (it automatically takes from the metric filter)

    • Statistic select Sum

    • Period as 5minutes

  11. In the conditions section select the Threshold type to Static, Define the alarm condition with a Greater(>) threshold and give the value of threshold as you defined in metric value then click on the Next button

  12. Next is Configure actions in this choose Alarm state trigger option as In alarm, For SNS topic select SNS if exist or can create a new topic, click on NEXT

  13. Give the Name of Alarm and Alarm description(optional), click on the Next button.

  14. Review all the entered details and click on create Alarm


 Using AWS CLI:

Create a metric filter based on the filter pattern provided which checks for AWS Management Console sign-in without MFA and the CloudTrail log group name   

put-metric-filter
--log-group-name <value>
--filter-name <value>
--filter-pattern <value>
--metric-transformations <value>

Create an alarm that is associated with the CloudWatch Logs Metric Filter  

aws cloudwatch put-metric-alarm
--alarm-name <value>
--metric-name <value>
--statistic Sum --period 300 --threshold <value>
--comparison-operator <value>
--evaluation-periods 1 -namespace '<give the name space>'
--alarm-actions <sns_topic_arn>


Backout plan: 

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at   https://console.aws.amazon.com/cloudwatch/

  2. In the left navigation, pane click on Log groups under Logs

  3. Select the log group you want to modify, go-to metric filter tab

  4. Choose the metric filter you want to delete and click on Delete

  5. Click on In Alarms in the left navigation pane

  6. Select the alarm you want to delete, click on the Actions drop-down, and select Delete


Using AWS CLI:

The following command deletes a log group named : 

aws logs delete-log-group --log-group-name <name_the group logs>

The delete-alarms command to delete the Amazon CloudWatch alarm   

aws cloudwatch delete-alarms --alarm-names <value>

Reference:

  1. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html 

  2. https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html

  3. https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html   


CIS Controls:

16 Account Monitoring and Control 

Account Monitoring and Control