Rule: Ensure a log metric filter and alarm exist for usage of 'root' account
This rule ensures the presence of a log metric filter and alarm for the 'root' account usage.
| Rule | Ensure a log metric filter and alarm exist for usage of 'root' account |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule Description
The rule requires the existence of a log metric filter and alarm to track and alert any usage of the 'root' account. This is in accordance with the CIS Amazon Web Services (AWS) Foundations Benchmark (version 1.4.0) for security best practices.
Troubleshooting Steps
If the log metric filter and alarm do not exist, follow these troubleshooting steps to create them:
- 1.
Ensure the AWS CLI is properly configured and you have the necessary permissions.
- 2.
Verify that AWS CloudTrail is enabled in your AWS account. If it is not enabled, you will need to enable it in order to create the necessary log metric filter and alarm.
- 3.
Check if AWS CloudTrail trails are configured properly for all regions you want to monitor. If not, configure them according to your requirements.
- 4.
Review the CloudTrail logs to confirm if any logs related to the 'root' account are available. If there are no logs, confirm if the 'root' account is being used or if it is disabled.
- 5.
Verify that an Amazon CloudWatch log group is created and properly configured to receive the logs generated by CloudTrail.
- 6.
Check if an Amazon CloudWatch metric filter is defined for the CloudWatch log group. If it is not defined, create a metric filter specifically for the 'root' account usage.
Necessary Codes
There are no specific codes required for this rule. However, you may need to use AWS CLI commands to create and configure the CloudTrail and CloudWatch resources.
Step-by-Step Guide for Remediation
Follow these steps to remediate the rule by creating the log metric filter and alarm for 'root' account usage:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Ensure that CloudTrail is enabled. If not, click on "Trails" in the left navigation menu, select the appropriate trail, and click "Edit" to enable it.
- 3.
Click on "Trails" in the left navigation menu and select the correct trail to access the trail configuration.
- 4.
Under the "Management events" section, verify that the 'root' account is being audited. If not, click on "Edit" and enable audit logging for the 'root' account.
- 5.
Navigate to the CloudWatch service in the AWS Management Console.
- 6.
In the left navigation menu, click on "Logs" and then click on "Create log group".
- 7.
Provide a name for the log group, such as "CloudTrailLogs", and click on "Create".
- 8.
From the CloudWatch Logs dashboard, click on the created log group.
- 9.
Under "Actions" dropdown, select "Create Metric Filter".
- 10.
In the "Create Metric Filter" wizard, select the log group created earlier.
- 11.
Define a filter pattern that captures logs containing the usage of the 'root' account. For example, you can use the filter pattern:
{ $.userIdentity.type = "Root" }
- 1.
Click on "Test pattern" to verify if the filter pattern matches the log entries correctly.
- 2.
Specify a name for the metric filter, such as "RootAccountUsage", and click on "Create filter".
- 3.
To create an alarm that triggers when the metric filter matches any log entries, click on "Create alarm" under "Actions" dropdown.
- 4.
Select the "RootAccountUsage" filter and specify the alarm criteria, such as the threshold for the number of log entries generated by the 'root' account.
- 5.
Configure the actions to be taken when the alarm is triggered, such as sending an email notification or triggering an SNS topic.
- 6.
Review the alarm configuration and click on "Create alarm" to complete the setup.
Once the above steps are completed, the log metric filter and alarm will be in place to track and alert any usage of the 'root' account in the specified CloudTrail logs.