lacework-global-58
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without Multi-Factor Authentication (MFA) (Automated)
Profile Applicability
• Level 1
Description
Achieve real-time monitoring of API calls by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Best practices recommend using a metric filter and alarm for console logins that are not protected by MFA.
Rationale
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.
Audit
Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:
- Identify the log group name configured for use with active multi-region CloudTrail:
- List all
CloudTrails:
aws cloudtrail describe-trails
Identify Multi region CloudTrails:
Trails with "IsMultiRegionTrail" set to trueFrom value associated with CloudWatchLogsLogGroupArn note
<cloudtrail_log_group_name>
Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*, <cloudtrail_log_group_name> would be NewGroup
- Ensure Identified Multi region
CloudTrailis active
aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>
Ensure in the output that IsLogging is set to TRUE
- Ensure identified Multi-region 'CloudTrail' captures all Management Events
aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>
Ensure in the output there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All
- Get a list of all associated metric filters for this
<cloudtrail_log_group_name>:
aws logs describe-metric-filters --log-group-name "<cloudtrail_log_group_name>"
- Ensure the output from the above command contains the following:
"filterPattern": "{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }"
Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):
"filterPattern": "{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success") }"
Note the
<no_mfa_console_signin_metric>value associated with thefilterPatternfound in step 3.Get a list of CloudWatch alarms and filter on the
<no_mfa_console_signin_metric>captured in step 4.
aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<no_mfa_console_signin_metric>`]'
Note the
AlarmActionsvalue - this will provide the SNS topic ARN value.Ensure there is at least one active subscriber to the SNS topic
aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
at least one subscription should have "SubscriptionArn" with valid aws ARN.
Example of valid "SubscriptionArn": "arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>"
Remediation
Perform the following to setup the metric filter, alarm, Simple Notification Service (SNS) topic, and subscription:
- Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA, providing a
<cloudtrail_log_group_name>.
Use Command:
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> -- filter-name <no_mfa_console_signin_metric> --metric-transformations metricName= <no_mfa_console_signin_metric>,metricNamespace='cis_benchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }'
Or (To reduce false positives if using Single Sign-On (SSO) in organization):
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> -- filter-name <no_mfa_console_signin_metric> --metric-transformations metricName=<no_mfa_console_signin_metric>,metricNamespace='cis_benchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success") }'
You can choose your own metricName and metricNamespace strings. Use the same metricNamespace for all Foundations Benchmark metrics to group them together.
- Create an SNS topic that the alarm can notify:
aws sns create-topic --name <sns_topic_name>
You can execute this command once and then re-use the same topic for all monitoring alarms.
- Create an SNS subscription to the topic created in step 2:
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
You can execute this command once and then re-use the SNS subscription for all monitoring alarms.
- Create an alarm associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2:
aws cloudwatch put-metric-alarm --alarm-name <no_mfa_console_signin_alarm> --metric-name <no_mfa_console_signin_metric> --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'cis_benchmark' --alarm-actions <sns_topic_arn>
References
CCE-79187-1
https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html
https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html
Additional Information
Configuring log metric filter and alarm on Multi-region (global) CloudTrail:
- ensures monitoring of activities from all regions (used as well as unused)
- ensures monitoring of activities on all supported global services
- ensures monitoring of all management events across all regions
- Filter pattern set to { ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success"} reduces false alarms raised when user logs in via SSO account.