Console sign-in without MFA alarm

AWS-CW-003 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect console sign-ins without MFA. Without this monitoring, compromised credentials used without MFA go undetected.

Why it matters

Console logins without MFA indicate either a misconfigured IAM user or an attacker who has compromised a password but cannot bypass MFA. Monitoring for non-MFA console access provides an early warning system that complements MFA enforcement policies. The 2023 Retool breach demonstrated how social engineering can bypass MFA, but monitoring for non-MFA logins catches the simpler attack vector of pure credential theft. This alarm is especially important during the transition period when you are rolling out MFA enforcement, as it identifies users who have not yet configured their MFA device. In regulated environments, auditors specifically look for evidence that non-MFA access attempts are detected and investigated.

Common causes

MFA enforcement is typically implemented as an IAM policy condition rather than a hard block, so non-MFA logins can still succeed for users with certain policy configurations. Organizations assume that enabling MFA on all users eliminates the need for monitoring, but users can have their MFA device removed by an admin. Federated logins through SAML or SSO may not always pass MFA status through to CloudTrail, creating blind spots.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.2 \
  --filter-pattern '{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") }' \
  --metric-transformations metricName=CIS-4-2,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.2 \
  --metric-name CIS-4-2 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_2" {
  name           = "CIS-4.2"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"

  metric_transformation {
    name      = "CIS-4-2"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_2" {
  alarm_name          = "CIS-4.2"
  metric_name         = "CIS-4-2"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.2 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.