TF 0516 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | cloudwatch |
| Provider | AWS |
Description
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA.
Resolution
Create an alarm to alert on non MFA logins