Ensure a Log Metric Filter and Alarm Exist for Usage of 'root' Account Rule
This rule ensures the presence of a log metric filter and alarm for the usage of the 'root' account.
| Rule | Ensure a log metric filter and alarm exist for usage of 'root' account |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule Description
This rule ensures that a log metric filter and alarm are in place to monitor the usage of the 'root' account within a CIS_v150 compliant environment. The 'root' account is a superuser account with unrestricted access and should be used sparingly to reduce the risk of unauthorized access and potential security breaches.
Troubleshooting Steps (if applicable)
If the log metric filter and alarm for 'root' account usage are not in place, follow these troubleshooting steps:
- 1.Verify that the necessary permissions are assigned to the user to create log metric filters and alarms.
- 2.Check the CloudWatch Logs to confirm if any existing log metric filters and alarms are present for 'root' account usage.
- 3.Ensure that the correct filter pattern is used to match 'root' account usage.
- 4.Verify that the alarm actions are properly configured to trigger appropriate notifications or actions when 'root' account usage is detected.
Necessary Code (if applicable)
The necessary code is provided below for creating a log metric filter and alarm using AWS CloudFormation:
AWSTemplateFormatVersion: '2010-09-09' Resources: RootAccountLogMetricFilter: Type: AWS::Logs::MetricFilter Properties: LogGroupName: /var/log/auth.log # Replace with the appropriate log group name FilterPattern: '[root]' MetricTransformations: - MetricName: RootAccountUsage MetricNamespace: CIS/Security MetricValue: 1 RootAccountUsageAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: RootAccountUsageAlarm AlarmDescription: Alarm triggered for 'root' account usage Namespace: CIS/Security MetricName: RootAccountUsage ComparisonOperator: GreaterThanOrEqualToThreshold Threshold: 1 EvaluationPeriods: 1 Statistic: SampleCount Period: 300 # 5 minutes AlarmActions: - <ARN of SNS Topic or other action to be triggered>
Please note that you need to replace the log group name and the alarm actions with the appropriate values for your environment.
Remediation Steps
Follow the steps below to remediate the issue of missing log metric filter and alarm for 'root' account usage:
- 1.Open the AWS Management Console and navigate to the CloudWatch service.
- 2.In the left sidebar, click on "Log groups" under "Logs".
- 3.Search for the log group that contains the logs for 'root' account usage (e.g., '/var/log/auth.log').
- 4.Click on the log group to open detailed log views.
- 5.In the top-right corner, click on the "Create metric filter" button.
- 6.Set the filter pattern to '[root]'.
- 7.Configure the filter name and choose an appropriate metric namespace and value.
- 8.Click on "Assign metric".
- 9.In the Alarm section, click on "Create an alarm".
- 10.Configure the alarm name, description, threshold, and alarm actions according to your requirements. Ensure that the period is set to 5 minutes.
- 11.Click on "Create alarm" to finalize the setup.
Once the log metric filter and alarm are successfully created, any usage of the 'root' account will trigger the alarm and generate notifications or execute specified actions.