Control: 2.17 Ensure a log monitoring and alerts are set up for Management Console sign-in without MFA
Description
Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to Log Service and establishing corresponding query and alarms. It is recommended that a query and alarm be established for console logins that are not protected by multi-factor authentication (MFA).
Remediation
Perform the following to ensure the log monitoring and alerts are set up for Management Console sign-in without MFA:
From Console
- Logon to SLS Console.
- Click
Log Service Audit Servicein the navigation pane. - Go to
Access to Cloud Products > Global Configurationpage.- Select a location of project for logs.
- Check the
Action Trailand configure a proper days. - Click
Saveto save the changes.
- Go to
Access to Cloud Products > Global ConfigurationsclickCentral Project. - Select
Log Management > Actiontrail Log. - In the search/analytics console, input below query
"event.eventName": ConsoleSignin and "addionalEventData.loginAccount": false
- Create a dashboard and set alert for the query result.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_2_17Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_2_17 --shareSQL
This control uses a named query:
select 'arn:acs:::' || account_id as resource, 'info' as status, 'Manual verification required.' as reason , account_id as account_idfrom alicloud_account;