v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/alicloud_compliance
Overview
1Dashboards
78Controls
40Queries
2Variables
GitHub

Control: 2.17 Ensure a log monitoring and alerts are set up for Management Console sign-in without MFA

Description

Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for console logins that are not protected by multi-factor authentication (MFA).

Remediation

Perform the following to ensure the log monitoring and alerts are set up for Management Console sign-in without MFA:

From Console

  1. Logon to SLS Console.
  2. Click Log Service Audit Service in the navigation pane.
  3. Go to Access to Cloud Products > Global Configuration page.
    • Select a location of project for logs.
    • Check the Action Trail and configure a proper days.
    • Click Save to save the changes.
  4. Go to Access to Cloud Products > Global Configurations click Central Project.
  5. Select Log Management > Actiontrail Log.
  6. In the search/analytics console, input below query
"event.eventName": ConsoleSignin and "addionalEventData.loginAccount": false
  1. Create a dashboard and set alert for the query result.

Usage

Run the control in your terminal:

powerpipe control run alicloud_compliance.control.cis_v100_2_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run alicloud_compliance.control.cis_v100_2_17 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 2.17
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v1.0.0
plugin = alicloud
service = AliCloud/SLS