turbot/alicloud_compliance

Control: 2.17 Ensure a log monitoring and alerts are set up for Management Console sign-in without MFA

Description

Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for console logins that are not protected by multi-factor authentication (MFA).

Remediation

Perform the following to ensure the log monitoring and alerts are set up for Management Console sign-in without MFA:

From Console

  1. Logon to SLS Console.
  2. Click Log Service Audit Service in the navigation pane.
  3. Go to Access to Cloud Products > Global Configuration page.
    • Select a location of project for logs.
    • Check the Action Trail and configure a proper days.
    • Click Save to save the changes.
  4. Go to Access to Cloud Products > Global Configurations click Central Project.
  5. Select Log Management > Actiontrail Log.
  6. In the search/analytics console, input below query
"event.eventName": ConsoleSignin and "addionalEventData.loginAccount": false
  1. Create a dashboard and set alert for the query result.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_2_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_2_17 --share

SQL

This control uses a named query:

manual_control

Tags