How to track sign-ins without MFA (Multi-Factor Authentication)

MFA_Multi-Factor-Authentication

In the 21st century, the era of mobilization and the internet, we are always in search of new ways to secure our privacy and data. Currently, the most promising method is two or more factor authentication which we call Multi-Factor Authentication. Most ubiquitous examples might be e-mail authentication or payment gateways. But the past record of MFA is also not exceptional since security breaches happen in the ecosystem of MFA as well. Therefore, you cannot solely rely on this.

So, what should you do for these sign-in consoles that are not even secure with MFA in AWS?

Having metric filters and alarms in place

In the management console of AWS, you can monitor all the API calls and console sign-in by directing CloudTrail logs to CloudWatch Logs in order to establish corresponding metric filter and alarm. An alarm is triggered every time an IAM user calls for an API or sign in into your console. A report by Forrester (Market Research Company) also states that 80% of security breaches involve privileged credentials. Implementing CloudTrail and CloudWatch logs will increase the level of protection and visibility into your AWS account. Since all these records get stored into your S3 bucket, you can check your every record and logs anytime.

Why do you need the help of Centilyitcs?

Centilytics ensures that a trail in CloudTrail should be created and metric filter alarm has been configured in CloudWatch. We provide you with all the important information regarding your trails and logs in a tabular form for a better understanding. Centilytics monitors all of your settings in real-time and reminds you of the criticality of paying attention if something is not working. This helps ensure that your data remains safe.

Insight Description:

OK-logging status without MFA
 Ok:  The CloudTrail has CloudWatch log groups configured with metric filter, alarm, SNS topic with at least one subscriber.
Warning-logging status without MFA
Warning: For your CloudWatch alarms, either no SNS topic is created or no individual is present in the list of topic subscribers to receive the alerts. 
Critical-logging status without MFA
 Critical:  Delivery to CloudWatch logs not configured

 

Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Account ID-logging status without MFA

Account Name: Shows the account name corresponding to the user’s account.

Account Name-logging status without MFA

Region: This column shows the region of your instance where it has been used

Region-logging status without MFA

Identifier: Shows you the service with its trial name.

Identifier-logging status without MFA

Log Group Name: It represents the name of the group which has permission to use the service.

Log Group Name-logging status without MFA

Metric Filter Name: Shows you the name that you have given to the metric filter.

Metric Filter Name-logging status without MFA

Alarm Name: Shows you the name of the alarm which you have assigned.

Alarm Name-logging status without MFA

SNS Topic Name: SNS refers to the Simple Notification Service group. A group of individuals who receive the alert message.

SNS Topic-logging status without MFA

Custom Severity Description: Shows the severity of your metric filter and its functions custom description.

Custom Severity Description-logging status without MFA

Filters Applicable:

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying the region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For e.g., If the user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources which are tagged as “environment:production”. The user can use the tag value filter only when a tag name has been provided.
Compliance Applying Compliance filter, you can further refine your security and health checks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here