Ensure a Log Metric Filter and Alarm Exist Rule
This rule ensures the presence of log metric filter and alarm for "root" account usage.
| Rule | Ensure a log metric filter and alarm exist for usage of "root" account |
| Framework | cis_v130 |
| Severity | ✔ Critical |
Rule/Policy Description:
The rule requires the existence of a log metric filter and alarm to track and notify any usage of the "root" account. This is in compliance with the CIS benchmark version 1.3.0.
Troubleshooting Steps:
If the log metric filter and alarm for "root" account usage do not exist, follow the steps below for troubleshooting:
- 1.
Verify the IAM role or user used to create the resource has sufficient permissions to create and manage CloudWatch Logs, CloudWatch Metric Filters, and Alarms.
- 2.
Check the CloudTrail logs to ensure that the events related to the "root" account are being recorded. If not, verify if CloudTrail is properly configured and logging for the root account is enabled.
- 3.
Ensure that the appropriate filter pattern is used for the log metric filter to capture "root" account usage. Verify that the filter pattern matches the events generated by the root account or any relevant actions taken by it.
- 4.
Check if there are any existing metric filters or alarms that conflict with the one required for tracking "root" account usage. Resolve any conflicts by modifying or deleting the conflicting resources.
Necessary Codes:
There are no specific codes associated with this rule.
Step-by-Step Guide for Remediation:
Follow the steps below to remediate the non-compliant status and meet the requirement of having a log metric filter and alarm for usage of the "root" account:
- 1.
Open the AWS Management Console and navigate to the CloudWatch service.
- 2.
In the CloudWatch dashboard, click on "Logs" in the left-hand sidebar.
- 3.
Select the appropriate log group that captures logs related to AWS CloudTrail.
- 4.
Click on "Create Metric Filter" and specify the filter pattern that identifies "root" account usage. Ensure the filter pattern accurately represents the events generated by the root account. For example, you can use the following filter pattern:
{ $.userIdentity.type = "Root" } - 5.
Choose the log group you want to associate the metric filter with, and click on "Assign Metric".
- 6.
Specify a name and namespace for the metric filter, and configure the metric details as per your requirements. For example, you can set the metric name as "RootAccountUsage" and select a unit like "Count".
- 7.
Once the metric filter is created, navigate to the CloudWatch service's dashboard.
- 8.
Click on "Alarms" in the left-hand sidebar and then click on "Create alarm".
- 9.
Under the "Select metric" section, choose the metric filter that was created in the previous steps (e.g., "RootAccountUsage").
- 10.
Configure the threshold that triggers the alarm. For example, you may want to set the threshold to "Any data point" is "greater than 0" for "1 consecutive period".
- 11.
Set up the actions to be taken when the alarm is triggered, such as sending notifications to the appropriate individuals or performing automated actions.
- 12.
Review the configuration and click on "Create alarm" to save the settings.
By following these steps, a log metric filter and alarm will be created to track and notify any usage of the "root" account as required by the CIS benchmark version 1.3.0.