lacework-global-58
4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Automated)
Profile Applicability
• Level 1
Description
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Rationale
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.
Audit
Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:
- Identify the log group name configured for use with active multi-region CloudTrail:
- List all
CloudTrails
:
aws cloudtrail describe-trails
Identify Multi region CloudTrails:
Trails with "IsMultiRegionTrail" set to true
From value associated with CloudWatchLogsLogGroupArn note
<cloudtrail_log_group_name>
Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs:<region>:<aws_account_number>:log-group:NewGroup:*
, <cloudtrail_log_group_name>
would be NewGroup
- Ensure Identified Multi region
CloudTrail
is active
aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>
Ensure in the output that IsLogging
is set to TRUE
- Ensure identified Multi-region 'CloudTrail' captures all Management Events
aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>
Ensure in the output there is at least one Event Selector for a Trail with IncludeManagementEvents
set to true
and ReadWriteType
set to All
- Get a list of all associated metric filters for this
<cloudtrail_log_group_name>
:
aws logs describe-metric-filters --log-group-name "<cloudtrail_log_group_name>"
- Ensure the output from the above command contains the following:
"filterPattern": "{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }"
Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):
"filterPattern": "{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success") }"
Note the
<no_mfa_console_signin_metric>
value associated with thefilterPattern
found in step 3.Get a list of CloudWatch alarms and filter on the
<no_mfa_console_signin_metric>
captured in step 4.
aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== `<no_mfa_console_signin_metric>`]'
Note the
AlarmActions
value - this will provide the SNS topic ARN value.Ensure there is at least one active subscriber to the SNS topic
aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>
at least one subscription should have "SubscriptionArn" with valid aws ARN.
Example of valid "SubscriptionArn": "arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>"
Remediation
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
- Create a metric filter based on filter pattern provided which checks for AWS Management Console sign-in without MFA and the
<cloudtrail_log_group_name>
taken from audit step 1.
Use Command:
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }'
Or (To reduce false positives incase Single Sign-On (SSO) is used in organization):
aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<no_mfa_console_signin_metric>` --metric-transformations metricName= `<no_mfa_console_signin_metric>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success") }'
note
You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
- Create an SNS topic that the alarm will notify
aws sns create-topic --name <sns_topic_name>
note
you can execute this command once and then re-use the same topic for all monitoring alarms.
- Create an SNS subscription to the topic created in step 2
aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
note
you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
- Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2
aws cloudwatch put-metric-alarm --alarm-name `<no_mfa_console_signin_alarm>` --metric-name `<no_mfa_console_signin_metric>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>
References
CCE-79187-1
https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/viewing_metrics_with_cloudwatch.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html
https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html
Additional Information
Configuring log metric filter and alarm on Multi-region (global) CloudTrail
- ensures that activities from all regions (used as well as unused) are monitored
- ensures that activities on all supported global services are monitored
- ensures that all management events across all regions are monitored
-Filter pattern set to
{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success"}
reduces false alarms raised when user logs in via SSO account.