search

Monitor for API Activity Without Multi-factor Authentication (MFA)

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when API calls are made without the use of multi-factor authentication (MFA).

hashtag
Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/arrow-up-right.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    { $.userIdentity.sessionContext.attributes.mfaAuthenticated != "true" }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntaxarrow-up-right in the Amazon CloudWatch User Guide.

  6. Choose Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter ApiActivityWithoutMFA.

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name box, enter ApiActivityWithoutMFACount.

  9. Choose Metric Value, and then type 1.

    Note

    If Metric Value does not appear, choose Show advanced metric settings first.

  10. When you are finished, choose Create Filter.

hashtag
Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values. CloudWatch Logs Create Alarm Wizard

    Setting

    Value

    Api Activity Without MFA

    >=1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, choose Create Alarm.

PreviousMonitor Host-Based Intrusion Detection System Alerts on Amazon EC2 InstancesNextMonitor for Console Sign In Without Multi-factor Authentication (MFA)

Last updated