Monitor for API Activity Without Multi-factor Authentication (MFA)

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when API calls are made without the use of multi-factor authentication (MFA).

Create a Metric Filter

1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

2. In the navigation pane, choose Logs.

3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

4. Choose Create Metric Filter.

5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

   Copy

   { $.userIdentity.sessionContext.attributes.mfaAuthenticated != "true" }

   Note

   For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

6. Choose Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter ApiActivityWithoutMFA.

7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

8. In the Metric Name box, enter ApiActivityWithoutMFACount.

9. Choose Metric Value, and then type 1.

   Note

   If Metric Value does not appear, choose Show advanced metric settings first.

10. When you are finished, choose Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

2. Setting

   Value

   Api Activity Without MFA

   >=1

   1

   5 Minutes

   Sum

   Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

   Choose Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

3. When you are finished, choose Create Alarm.