Ensure CloudWatch monitors AWS Management Console authentication requests that are not protected by Multi-Factor Authentication (MFA).
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using CloudWatch alarms to monitor single-factor authentication requests will increase visibility into your AWS accounts that are not protected by Multi-Factor Authentication.
Note: For this rule, Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable Amazon Cloudtrail – CloudWatch integration.
To determine if there are any CloudWatch alarms set up to monitor AWS Console sign-in requests made without MFA, perform the following:
Remediation / Resolution
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send notification alerts whenever the necessary AWS CloudWatch alarm is triggered:
Step 2: Create the required CloudWatch metric filter and the CloudWatch alarm that will fire whenever an AWS Management Console sign-in request made without using MFA is send:
- AWS Documentation
- Amazon CloudWatch Concepts
- View Available Metrics
- Creating Amazon CloudWatch Alarms
- Creating CloudWatch Alarms for CloudTrail Events: Additional Examples
- Create a Topic
- Subscribe to a Topic
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
AWS Console Sign In Without MFA
Risk level: Medium