This rule ensures the presence of a log metric filter and alarm for the usage of the 'root' account.
Rule | Ensure a log metric filter and alarm exist for usage of 'root' account |
Framework | cis_v150 |
Severity | ✔ Low |
Rule Description
This rule ensures that a log metric filter and alarm are in place to monitor the usage of the 'root' account within a CIS_v150 compliant environment. The 'root' account is a superuser account with unrestricted access and should be used sparingly to reduce the risk of unauthorized access and potential security breaches.
Troubleshooting Steps (if applicable)
If the log metric filter and alarm for 'root' account usage are not in place, follow these troubleshooting steps:
Necessary Code (if applicable)
The necessary code is provided below for creating a log metric filter and alarm using AWS CloudFormation:
AWSTemplateFormatVersion: '2010-09-09' Resources: RootAccountLogMetricFilter: Type: AWS::Logs::MetricFilter Properties: LogGroupName: /var/log/auth.log # Replace with the appropriate log group name FilterPattern: '[root]' MetricTransformations: - MetricName: RootAccountUsage MetricNamespace: CIS/Security MetricValue: 1 RootAccountUsageAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: RootAccountUsageAlarm AlarmDescription: Alarm triggered for 'root' account usage Namespace: CIS/Security MetricName: RootAccountUsage ComparisonOperator: GreaterThanOrEqualToThreshold Threshold: 1 EvaluationPeriods: 1 Statistic: SampleCount Period: 300 # 5 minutes AlarmActions: - <ARN of SNS Topic or other action to be triggered>
Please note that you need to replace the log group name and the alarm actions with the appropriate values for your environment.
Remediation Steps
Follow the steps below to remediate the issue of missing log metric filter and alarm for 'root' account usage:
Once the log metric filter and alarm are successfully created, any usage of the 'root' account will trigger the alarm and generate notifications or execute specified actions.