From b5901d0b6511f2e99f65aa1739a63cba3d4df981 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni.delafuente@alfresco.com>
Date: Thu, 26 Oct 2017 18:06:45 -0400
Subject: [PATCH 1/2] Fixed issue #112

---
 prowler | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/prowler b/prowler
index 0714fb3a..345cb1e5 100755
--- a/prowler
+++ b/prowler
@@ -1055,7 +1055,7 @@ check32(){
   textTitle "$ID32" "$TITLE32" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then
-    METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP $PROFILE_OPT --region $REGION --query 'metricFilters' | grep -E 'userIdentity.sessionContext.attributes.mfaAuthenticated.*true')
+    METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP $PROFILE_OPT --region $REGION --query 'metricFilters' |grep filterPattern|awk '/.userIdentity.type/&&/.responseElements.ConsoleLogin/&&/.additionalEventData.MFAUsed/&&/Yes/')
     if [[ $METRICFILTER_SET ]];then
       textOK "CloudWatch group found with metric filters for sign-in Console without MFA enabled"
     else

From 0f1407325f9d7ffb594f640e2ebc636e510da64f Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni.delafuente@alfresco.com>
Date: Thu, 26 Oct 2017 18:09:36 -0400
Subject: [PATCH 2/2] Fixed issue #112

---
 prowler | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/prowler b/prowler
index 345cb1e5..22f1368f 100755
--- a/prowler
+++ b/prowler
@@ -1055,7 +1055,7 @@ check32(){
   textTitle "$ID32" "$TITLE32" "SCORED" "LEVEL1"
   CLOUDWATCH_GROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $7 }')
   if [[ $CLOUDWATCH_GROUP ]];then
-    METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP $PROFILE_OPT --region $REGION --query 'metricFilters' |grep filterPattern|awk '/.userIdentity.type/&&/.responseElements.ConsoleLogin/&&/.additionalEventData.MFAUsed/&&/Yes/')
+    METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $CLOUDWATCH_GROUP $PROFILE_OPT --region $REGION --query 'metricFilters' |grep filterPattern|awk '/.userIdentity.type/&&/IAMUser/||/root/&&/.responseElements.ConsoleLogin/&&/.additionalEventData.MFAUsed/&&/Yes/')
     if [[ $METRICFILTER_SET ]];then
       textOK "CloudWatch group found with metric filters for sign-in Console without MFA enabled"
     else