Ensure a Log Metric Filter and Alarm Exist for AWS Management Console Authentication Failures Rule
This rule ensures the presence of a log metric filter and alarm for AWS Management Console authentication failures.
| Rule | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule Description:
The rule ensures that there is a log metric filter and an alarm in place to detect AWS Management Console authentication failures for cis_v140. This helps to identify and respond to any unauthorized access attempts to the AWS Management Console, which could potentially lead to security breaches or unauthorized data exposure.
Troubleshooting Steps:
- 1.Verify if the log metric filter for AWS Management Console authentication failures is already configured.
- 2.Check if an alarm exists for the log metric filter.
- 3.Review the configured settings for the log metric filter and alarm to ensure they are correctly configured.
- 4.Ensure the appropriate permissions are set for the IAM role/user responsible for creating and managing the log metric filter and alarm.
Necessary Codes:
To create a log metric filter and alarm for AWS Management Console authentication failures, you can use CloudFormation or AWS Command Line Interface (CLI) commands. Below are the necessary codes for CLI:
Log Metric Filter Creation:
aws logs put-metric-filter \ --log-group-name <log-group-name> \ --filter-name <filter-name> \ --filter-pattern "[timestamp=*, event=SignInFailed, *]" \ --metric-name <metric-name> \ --metric-namespace AWS/ConsoleSignIn \ --metric-value "1"
Replace the placeholders with the appropriate values:
: The name of the log group where the log events are stored.<log-group-name>
: A name for the log metric filter.<filter-name>
: A name for the metric to be created.<metric-name>
Alarm Creation:
aws cloudwatch put-metric-alarm \ --alarm-name <alarm-name> \ --alarm-description "AWS Management Console authentication failures" \ --metric-name <metric-name> \ --namespace AWS/ConsoleSignIn \ --statistic Sum \ --period 300 \ --threshold 1 \ --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 \ --actions-enabled \ --alarm-actions <action-ARN>
Replace the placeholders with the appropriate values:
: A name for the alarm.<alarm-name>
: The same metric name used in the log metric filter creation.<metric-name>
: The ARN (Amazon Resource Name) of the action(s) to be taken when the alarm is triggered.<action-ARN>
Remediation Steps:
To remediate any issues or make changes to the existing configuration, follow the steps below:
- 1.Identify any issues by troubleshooting using the steps mentioned above.
- 2.If the log metric filter does not exist, create it using the provided code snippet.
- 3.If the alarm does not exist or needs modification, create/update it using the code snippet provided.
- 4.Test the log metric filter and alarm by intentionally initiating failed authentication attempts to the AWS Management Console.
- 5.Monitor the CloudWatch metrics and ensure that the alarm is triggered correctly.
- 6.Configure appropriate actions to be taken when the alarm is triggered, such as sending notifications or triggering automated responses.
Remember to regularly review and update the log metric filter and alarm configurations as per your organization's security policies and requirements.