Profile Applicability

  • Level 1

Description:

Multi-factor authentication (MFA) adds an extra layer of security to AWS Management Console sign-ins. Monitoring sign-ins to the AWS Management Console without MFA ensures that users are adhering to security best practices by using MFA for added protection. This control helps detect any unauthorized sign-in attempts or potential breaches where MFA is not enforced.

Monitoring sign-ins that bypass MFA is essential to identify any accounts that may be vulnerable or misconfigured, ensuring that all AWS users follow MFA-enabled security protocols.

Rationale:

Sign-ins to the AWS Management Console without MFA can present significant security risks, as they are easier for attackers to compromise through credential theft, phishing, or brute force methods. Ensuring that MFA is used at every login reduces the attack surface and enhances the security posture of your AWS environment.

By monitoring sign-ins that occur without MFA, organizations can detect deviations from security policies, respond quickly to potential threats, and enforce stricter security measures when needed.

Impact:

Failure to monitor sign-ins without MFA can result in:

  • Increased vulnerability to unauthorized access and data breaches.

  • Potential violation of internal security policies and compliance standards (e.g., HIPAA, SOC 2).

  • Insufficient visibility into the security of management console logins.

Monitoring sign-ins without MFA ensures compliance with security best practices and mitigates risks related to weak authentication.

Default Value:

By default, AWS CloudTrail logs all Management Console sign-in events, including MFA status. However, CloudWatch and CloudTrail configuration must be set up to monitor sign-ins without MFA.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • cloudtrail:LookupEvents

    • cloudwatch:PutMetricData

    • cloudwatch:DescribeAlarms

  • CloudTrail enabled for logging Management Console sign-in events

  • CloudWatch configured to monitor failed sign-ins or sign-ins without MFA

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the CloudTrail Console.

  2. Ensure that Management Events are enabled for logging sign-in events.

  3. Go to the CloudWatch Console and confirm if there are any existing alarms set up for sign-ins without MFA.

Using AWS CLI:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --query "Events[?ResponseElements.ConsoleLogin=='Failure']" --output table

To verify CloudWatch monitoring for MFA failures:

aws cloudwatch describe-alarms --query "MetricAlarms[?AlarmName=='MFAConsoleLoginFailureAlarm']" --output table

Implementation Plan:

Using AWS Console:

  1. Ensure CloudTrail is logging MFA status for Management Console logins:

    • Go to the CloudTrail Console.

    • Verify that Management Events are enabled, particularly for ConsoleLogin events, and ensure MFA status is captured.

    • Ensure logs are being stored in an S3 bucket for long-term access and auditing.

  2. Set up CloudWatch metrics and alarms for sign-ins without MFA:

    • In the CloudWatch Console, create a custom metric filter to capture failed ConsoleLogin events where ConsoleLogin == 'Failure' and MFA is not used.

    • Set up an alarm that triggers when this metric exceeds a threshold.

Using AWS CLI:

  1. Verify CloudTrail logging for MFA-related login events:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --query "Events[?ResponseElements.ConsoleLogin=='Failure']" --output table

  1. Set up CloudWatch to monitor failed MFA sign-ins:

aws cloudwatch put-metric-alarm --alarm-name "MFAConsoleLoginFailureAlarm" --metric-name "ConsoleLoginFailuresWithoutMFA" --namespace "AWS/CloudTrail" --statistic "Sum" --period 300 --threshold 1 --comparison-operator "GreaterThanOrEqualToThreshold" --evaluation-periods 1 --actions-enabled

Backout Plan:

Using AWS Console:

  1. If monitoring sign-ins without MFA creates excessive alarms or logs:

    • Go to the CloudWatch Console.

    • Adjust the threshold for the CloudWatch alarm or modify the metric filter to reduce the number of triggered alarms.

    • Optionally, disable the alarm temporarily if it's generating too many notifications.

  2. Modify CloudTrail logging to reduce the number of recorded events if performance issues occur:

Using AWS CLI:

  1. Temporarily disable CloudWatch alarms:

aws cloudwatch disable-alarm-actions --alarm-name "MFAConsoleLoginFailureAlarm"

  1. Stop logging sign-in failures related to MFA in CloudTrail:

aws cloudtrail update-trail --name <trail-name> --no-log-management-events

  1. Re-enable monitoring once issues are resolved:

aws cloudwatch enable-alarm-actions --alarm-name "MFAConsoleLoginFailureAlarm"
aws cloudtrail update-trail --name <trail-name> --log-management-events

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services