Description:
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Rationale:
Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.
Perform the following to setup the metric filter, alarm, SNS topic, and subscription:
Use Command:
aws logs put-metric-filter --log-group-name --filter-name '' --metric-transformations metricName= '' ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }'
Or (To reduce false positives in case Single Sign-On (SSO) is used in organization):
aws logs put-metric-filter --log-group-name --filter-name '' --metric-transformations metricName= '' ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.userIdentity.type = "IAMUser") && ($.responseElements.ConsoleLogin = "Success") }'
Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.
aws sns create-topic --name
Note: you can execute this command once and then re-use the same topic for all monitoring alarms.
aws sns subscribe --topic-arn --protocol --notification-endpoint
Note: you can execute this command once and then re-use the SNS subscription for all monitoring alarms.
aws cloudwatch put-metric-alarm --alarm-name '' --metric-name '' --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions
.