Ensure a Log Metric Filter and Alarm Exist for AWS Management Console Authentication Failures Rule
This rule ensures the presence of a log metric filter and alarm for AWS Management Console authentication failures.
| Rule | Ensure a log metric filter and alarm exist for AWS Management Console authentication failures |
| Framework | cis_v130 |
| Severity | ✔ Low |
Rule Description
The rule ensures that a log metric filter and an alarm are set up to monitor and notify for AWS Management Console authentication failures as per the CIS AWS Foundations Benchmark (v1.3.0) security best practices. The goal is to detect and respond promptly to any unauthorized access attempts to the AWS Management Console.
Troubleshooting Steps
- 1.
Ensure that CloudTrail is enabled in your AWS account. If not, follow the AWS documentation to enable CloudTrail in your account.
- 2.
Verify that the IAM user or role executing the AWS Config rule has the necessary permissions to create and modify CloudWatch Logs log groups, log streams, log metric filters, and alarms.
- 3.
Verify that the region specified in the rule matches the region where you want to enforce the monitoring and alarm for AWS Management Console authentication failures.
- 4.
Check if there are any existing log metric filters or alarms configured for AWS Management Console authentication failures. If there are conflicts or duplicate configurations, resolve them to avoid inconsistencies and false alarms.
Necessary Codes
No necessary codes are required for this rule.
Remediation
Follow the steps below to remediate the rule failure and set up the log metric filter and alarm for AWS Management Console authentication failures:
- 1.
Open the CloudWatch console.
- 2.
In the navigation pane, click on "Logs" and then select "Log groups".
- 3.
Create a new log group (or select an existing one) that will store the CloudTrail logs related to AWS Management Console authentication.
- 4.
In the navigation pane, click on "Log groups" and select the log group created in the previous step.
- 5.
Click on the "Create Metric Filter" button.
- 6.
Choose "Filter Pattern" and enter the following pattern:
{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }
- 1.
Click on "Test pattern" to verify if the pattern matches the desired log entries.
- 2.
Click on "Assign Metric" and set a meaningful name for the metric filter. For example, "ConsoleLoginFailures".
- 3.
Configure the "Metric Value" as "1" to count the occurrences of the failed authentication in CloudWatch Logs.
- 4.
Click on "Create Filter" to create the log metric filter.
- 5.
In the CloudWatch console, navigate to "Alarms" in the left navigation pane.
- 6.
Click on the "Create Alarm" button.
- 7.
Select the newly created metric filter (e.g., "ConsoleLoginFailures") from the "Create Alarm" wizard.
- 8.
Configure the desired threshold, period, and actions for the alarm. For example, set the threshold to "1" and select a notification action to alert administrators about the failed authentication attempts.
- 9.
Click on "Create Alarm" to create the alarm for AWS Management Console authentication failures.
Result
By following the above steps, you have successfully set up a log metric filter and alarm in CloudWatch to monitor and notify for AWS Management Console authentication failures. Any failed authentication attempts will trigger the alarm, and the designated actions will be taken to investigate and mitigate the unauthorized access attempts.