Profile Applicability:

  • Level 1


Description:

This control ensures that AWS CloudTrail log data is monitored for Management Console sign-in attempts made without multi-factor authentication (MFA). A CloudWatch metric filter and corresponding alarm must be configured to detect and alert security teams when a user logs in to the AWS Management Console without MFA enabled. Monitoring this activity helps enforce strong authentication practices and protects against credential-based attacks.


Rationale:

MFA provides an additional layer of security beyond usernames and passwords. Detecting sign-ins without MFA ensures that users adhere to organizational security policies and helps identify accounts that may be vulnerable to unauthorized access. Monitoring these events supports compliance requirements and reduces the risk of account compromise due to stolen or weak credentials.


Impact:

  • Positive Impact:Enhances account security by enforcing MFA use.Provides visibility into potential policy violations.Improves compliance with security frameworks requiring MFA (e.g., CIS, ISO 27001, SOC 2).
  • Negative Impact:Slight increase in CloudWatch log ingestion and alerting costs.


Default Value:

By default, AWS does not provide a metric filter or alarm for console sign-ins without MFA. Manual setup is required.


Pre-Requisite:

  • CloudTrail must be enabled in all regions.

  • CloudTrail logs must be delivered to a CloudWatch Logs group.

  • IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudWatch → Logs → Log groups.

  3. Locate the CloudTrail log group (usually named /aws/cloudtrail/...).

  4. Select Create metric filter.

  5. Assign a metric name such as ConsoleSignInWithoutMFA.

  6. Go to CloudWatch → Alarms → Create alarm.

  7. Create an alarm for the ConsoleSignInWithoutMFA metric.

  8. Set a threshold (e.g., ≥ 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.

  9. Save the configuration.


Implementation Plan

Using AWS Console:

  1. Go to CloudWatch → Logs → Log groups.

  2. Open the CloudTrail log group.

  3. Choose Create metric filter 

  4. Set Metric Name: ConsoleSignInWithoutMFA.

  5. Create an Alarm:

    • Metric: ConsoleSignInWithoutMFA

    • Namespace: CISBenchmark

    • Condition: ≥ 1 in 5 minutes

    • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)

  6. Save all configurations.


Backout Plan

Using AWS Console:

  1. Go to CloudWatch → Alarms.
  2. Select the ConsoleSignInWithoutMFAAlarm.
  3. Choose Actions → Delete.
  4. Go to Logs → Metric Filters.
  5. Delete the ConsoleSignInWithoutMFA filter.


References: