Profile Applicability:

Level 1

Description:

Monitoring AWS Management Console sign-ins without Multi-Factor Authentication (MFA) is critical for security. AWS CloudTrail logs can be directed to Amazon CloudWatch Logs or an external SIEM to detect unauthorized access attempts. CloudWatch metric filters and alarms should be configured to notify administrators of non-MFA logins.

Why Monitor Console Logins Without MFA?

  • Detects insecure authentication attempts and potential compromised accounts.
  • Enhances security posture by ensuring MFA is enforced for console logins.
  • Provides visibility into IAM user login activities lacking MFA protection.
  • Meets compliance standards by monitoring authentication security events.

Rationale:

  • MFA adds a critical security layer beyond just a username and password.
  • Identifies potential threats from IAM users without MFA.
  • Prevents unauthorized access by enforcing MFA policies.
  • Meets compliance requirements (SOC 2, CIS Benchmark, NIST, PCI DSS, ISO 27001).

Impact:

  • Reduces the risk of account compromise by enforcing MFA monitoring.
  • Enhances security posture by detecting non-compliant IAM logins.
  • Alerts security teams to respond to unauthorized console sign-ins.

Default Value:

  • AWS does NOT provide built-in alerts for console logins without MFA.
  • CloudWatch monitoring must be manually configured to track non-MFA logins.

Pre-Requisites:

IAM Permissions Required:

{
  "Action": [
    "cloudtrail:DescribeTrails",
    "cloudtrail:GetTrailStatus",
    "logs:DescribeMetricFilters",
    "logs:PutMetricFilter",
    "cloudwatch:PutMetricAlarm",
    "sns:CreateTopic",
    "sns:Subscribe"
  ],
  "Effect": "Allow",
  "Resource": "*"
}

Remediation:

Test Plan

Using AWS Console

Verify CloudTrail is Multi-Region and Logging is Active:

  1. Log in to the AWS Console

  2. Navigate to CloudTrail Console → AWS CloudTrail

     

  1. Click Trails in the left navigation panel

       

  1. Check if Multi-Region Trail is Enabled 

   

  1. Ensure Logging is ON 

   

  1. Verify Management Events (Read & Write) are enabled 

 

Using AWS CLI

1.Check CloudTrail Multi-Region and Logging Status:

aws cloudtrail describe-trails
aws cloudtrail get-trail-status --name <trail-name>
aws cloudtrail get-event-selectors --trail-name <trail-name>

2.Check if a Metric Filter Exists for Console Logins Without MFA:

aws logs describe-metric-filters --log-group-name <trail-log-group-name>
{
    "filterPattern": "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
}
or (if using SSO exclusion):
{
    "filterPattern": "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }"
}

3.Verify CloudWatch Alarm Exists for Non-MFA Logins:

aws cloudwatch describe-alarms --query "MetricAlarms[?MetricName == 'no_mfa_console_signin_metric']"

4.Confirm SNS Topic Has Active Subscriptions:

aws sns list-subscriptions-by-topic --topic-arn <sns-topic-arn>


Implementation Steps:

Using AWS Console:

Enable Metric Filters for Non-MFA Logins:

  1. Log in to AWS Console

  2. Navigate to CloudTrail Console

  

  1. Click Trails → Log Group

       

  1. Add a Metric Filter for non-MFA logins

  2. Create a CloudWatch Alarm to trigger alerts

Using AWS CLI

1.Create a CloudWatch Metric Filter:

aws logs put-metric-filter \
  --log-group-name <trail-log-group-name> \
  --filter-name no-mfa-console-signin-metric \
  --metric-transformations metricName=no_mfa_console_signin_metric,metricNamespace=CISBenchmark,metricValue=1 \
  --filter-pattern "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"

or (to exclude SSO users):

aws logs put-metric-filter \
  --log-group-name <trail-log-group-name> \
  --filter-name no-mfa-console-signin-metric \
  --metric-transformations metricName=no_mfa_console_signin_metric,metricNamespace=CISBenchmark,metricValue=1 \
  --filter-pattern "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }"

2.Create an SNS Topic for Alerts:

aws sns create-topic --name security-alerts

3.Subscribe Security Team to SNS Alerts:

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint [email protected]

4.Create a CloudWatch Alarm to Trigger Alerts:

aws cloudwatch put-metric-alarm \
  --alarm-name "no_mfa_console_signin_alarm" \
  --metric-name "no_mfa_console_signin_metric" \
  --namespace "CISBenchmark" \
  --statistic Sum \
  --period 300 \
  --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <sns-topic-arn>

Backout Plan:

1.Refine Metric Filter to Reduce False Positives (If SSO is Used):

aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name no-mfa-console-signin-metric

2.Remove the CloudWatch Alarm (If Not Needed):

aws cloudwatch delete-alarms --alarm-name "no_mfa_console_signin_alarm"

3.Unsubscribe SNS Alert Recipients:

aws sns unsubscribe --subscription-arn <subscription-arn>

References: