Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a Log Metric Filter for AWS Management Console Authentication Failures

This rule ensures a log metric filter and alarm exist for AWS Management Console authentication failures.

RuleEnsure a log metric filter and alarm exist for AWS Management Console authentication failures
FrameworkGeneral Data Protection Regulation (GDPR)
Severity
Low

Rule Description

This rule enforces the creation of a log metric filter and alarm for AWS Management Console authentication failures specifically for General Data Protection Regulation (GDPR) compliance. By monitoring and alerting on these authentication failures, the organization can proactively identify potential security incidents and address them promptly to maintain compliance with GDPR requirements.

Troubleshooting Steps

If you encounter any issues while setting up the log metric filter and alarm, you can follow these troubleshooting steps:

  1. 1.
    Missing IAM Permissions: Ensure that the IAM user or role used to configure the log metric filter and alarm has the necessary permissions, such as
    cloudwatch:PutMetricFilter
    and
    cloudwatch:PutMetricAlarm
    .
  2. 2.
    Incorrect Filter Pattern: Review the filter pattern used for the log metric filter. Make sure the pattern accurately captures the authentication failure events specific to the AWS Management Console.
  3. 3.
    Alarm Configuration: Verify that the alarm configuration parameters, such as the threshold and evaluation period, are set correctly according to your requirements.
  4. 4.
    CloudWatch Logs Integration: Ensure that your CloudTrail logs are integrated with CloudWatch Logs. If not, configure the CloudTrail logs delivery to CloudWatch Logs and confirm that the logs are being ingested successfully.

Necessary Codes

There are no specific codes required for this rule. However, you can use the AWS Command Line Interface (CLI) to configure the log metric filter and alarm if desired.

Step-by-Step Guide

To ensure a log metric filter and alarm exist for AWS Management Console authentication failures, follow these steps:

Step 1: Access CloudWatch

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Navigate to the CloudWatch service.

Step 2: Create a Log Metric Filter

  1. 1.
    In the CloudWatch dashboard, click on Logs in the left navigation pane.
  2. 2.
    Select the appropriate log group containing your CloudTrail logs.
  3. 3.
    Choose the Create Metric Filter button.
  4. 4.
    Specify a filter pattern that captures AWS Management Console authentication failures. For example, you can use the following pattern:
{ ($.eventSource = "signin.amazonaws.com") && ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed != "Yes") && ($.errorCode != "Success") }
  1. 1.
    Click on Test Pattern to verify that the pattern matches the desired events.
  2. 2.
    Configure the filter name and assign it to a new or existing metric namespace.
  3. 3.
    Choose the Create filter button.

Step 3: Configure an Alarm

  1. 1.
    In the CloudWatch dashboard, click on Alarms in the left navigation pane.
  2. 2.
    Select Create Alarm.
  3. 3.
    Under the Select metric section, choose Browse.
  4. 4.
    Locate the metric namespace assigned to the log metric filter created in Step 2 and select the corresponding metric.
  5. 5.
    Configure the alarm threshold, such as setting it to "Greater/Equal" to be alerted on any authentication failures.
  6. 6.
    Specify the actions to be taken when the alarm state is triggered, such as sending notifications to relevant parties.
  7. 7.
    Click on Create alarm to complete the configuration.

Step 4: Test the Alarm

To ensure the alarm is functioning correctly, attempt a failed AWS Management Console authentication. The alarm should trigger and send the configured notifications, allowing you to investigate the unauthorized access attempt.

Conclusion

By following the steps outlined above, you will have successfully implemented a log metric filter and alarm for AWS Management Console authentication failures, specifically to comply with General Data Protection Regulation (GDPR) requirements. This proactive approach to monitoring authentication attempts helps maintain a secure and compliant environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now