Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for AWS Management Console Authentication Failures Rule

This rule ensures the existence of log metric filter and alarm for AWS Management Console authentication failures.

RuleEnsure a log metric filter and alarm exist for AWS Management Console authentication failures
Frameworkcis_v150
Severity
Low

Rule Description:

The rule ensures that a log metric filter and alarm are in place to detect and notify about AWS Management Console authentication failures for cis_v150. This helps to identify any unauthorized access attempts or potential security breaches in the AWS Management Console.

Troubleshooting Steps:

  • If you do not receive any notifications or alerts regarding AWS Management Console authentication failures, follow these steps to troubleshoot the rule:
    2. 1.
      Review the CloudWatch Logs for any errors or issues related to the log metric filter and alarm.
    4. 2.
      Ensure that the log metric filter is correctly configured to capture authentication failure events.
    6. 3.
      Verify that the alarm configuration is accurate and has the appropriate threshold for triggering notifications.
    8. 4.
      Check if there are any issues with IAM roles, permissions, or policies that might prevent the rule from functioning correctly.
    10. 5.
      Review AWS CloudTrail logs for any relevant events or errors related to the rule.

Necessary Codes:

No additional codes are required for this rule.

Step by Step Guide for Remediation:

Follow these steps to ensure a log metric filter and alarm exist for AWS Management Console authentication failures for cis_v150:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Open the Amazon CloudWatch service.
  6. 3.
    From the left navigation pane, select "Log groups."
  8. 4.
    Search for the log group associated with the AWS Management Console authentication logs. (Typically, the log group name follows the format: 
    /aws/iam/ConsoleLogin
    ).
  10. 5.
    Click on the log group to view its details.
  12. 6.
    In the top-right corner, click on "Create Metric Filter."
  14. 7.
    In the "Filter Pattern" section, choose "Custom pattern."
  16. 8.
    Enter the filter pattern: 
    "{ $.errorMessage = "*Login failed*".* }"
    . This pattern helps to capture authentication failures.
  18. 9.
    Click on "Assign Metric" and select "Create new metric."
  20. 10.
    Provide a name for the metric, such as "ConsoleAuthenticationFailures."
  22. 11.
    Provide a namespace for the metric, such as "CloudTrailMetrics."
  24. 12.
    Click on "Create Filter" to create the log metric filter.
  26. 13.
    Go back to the log group details page and click on the "Alarms" tab.
  28. 14.
    Click on "Create Alarm" to create a new alarm.
  30. 15.
    In the "Create Alarm" wizard, search for the newly created metric filter by entering its name in the search bar.
  32. 16.
    Select the metric filter and click on "Select metric."
  34. 17.
    Set the appropriate threshold for triggering the alarm, such as "Threshold type: Static" and "Whenever ConsoleAuthenticationFailures is >= 1 for 5 minutes."
  36. 18.
    Configure the actions to be taken when the alarm state is triggered, such as sending a notification to an SNS topic or triggering an AWS Lambda function.
  38. 19.
    Click on "Create alarm" to create the alarm for AWS Management Console authentication failures.

Once the log metric filter and alarm are created, you will start receiving notifications or alerts whenever there are AWS Management Console authentication failures for cis_v150.

Is your System Free of Underlying Vulnerabilities?
Find Out Now