Ensure a Log Metric Filter and Alarm Exist for Usage of 'root' Account Rule
This rule ensures the presence of a log metric filter and alarm for the usage of the 'root' account.
| Rule | Ensure a log metric filter and alarm exist for usage of 'root' account |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm are set up to monitor the usage of the 'root' account for compliance with the General Data Protection Regulation (GDPR). The 'root' account has extensive privileges and should be used sparingly to reduce the risk of unauthorized access and data breaches.
Troubleshooting Steps:
- 1.Verify Log Metric Filter: Check if a log metric filter exists to capture 'root' account usage data.
- 2.Confirm Alarm Configuration: Ensure that an alarm is associated with the log metric filter to trigger an alert when 'root' account usage exceeds the defined threshold.
- 3.Check Alarm Actions: Validate that the alarm actions are set up correctly to notify the appropriate stakeholders when an alert is triggered.
- 4.Review Alarm Thresholds: Verify if the alarm threshold is appropriately defined to reflect the acceptable usage limits for the 'root' account as per GDPR compliance requirements.
- 5.Check Data Filters: Make sure that the log metric filter includes specific data filters to monitor 'root' account activity accurately.
- 6.Inspect Logging Permissions: Ensure that the required permissions are assigned to the user/group responsible for accessing log metric filters and alarms.
Necessary Code:
No specific code is required for this rule as it involves setting up log metric filters and alarms within the logging/monitoring service provided by the cloud platform. However, the following AWS CloudWatch Logs example demonstrates the creation of a log metric filter for 'root' account usage:
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootAccountMetricFilter": { "Type": "AWS::Logs::MetricFilter", "Properties": { "LogGroupName": "<log-group-name>", "FilterPattern": "{($.userIdentity.userName = 'root') || ($.userIdentity.arn = 'arn:aws:iam::*:root')}", "MetricTransformations": [ { "MetricValue": "1", "MetricNamespace": "<metric-namespace>", "MetricName": "<metric-name>" } ] } } } }
Note: Replace "<log-group-name>", "<metric-namespace>", and "<metric-name>" with appropriate values specific to your environment.
Remediation Steps:
To remediate, follow these step-by-step instructions:
- 1.Step 1: Log in to the cloud platform console with appropriate credentials.
- 2.Step 2: Navigate to the logging/monitoring service (e.g., AWS CloudWatch Logs).
- 3.Step 3: Locate the relevant log group or create a new one dedicated to 'root' account monitoring.
- 4.Step 4: Create a new log metric filter within the chosen log group.
- 5.Step 5: Specify the filter pattern as "{($.userIdentity.userName = 'root') || ($.userIdentity.arn = 'arn:aws:iam::*:root')}" to capture 'root' account activities.
- 6.Step 6: Choose a meaningful metric namespace and name for the metric filter.
- 7.Step 7: Save the log metric filter configuration.
- 8.Step 8: Set up an alarm associated with the log metric filter.
- 9.Step 9: Configure the alarm threshold based on GDPR compliance requirements and acceptable 'root' account usage limits.
- 10.Step 10: Define appropriate actions for the alarm, such as sending notifications to stakeholders via email or triggering automated remediation workflows.
- 11.Step 11: Save the alarm configuration.
- 12.Step 12: Regularly monitor the log metric filter and alarm to ensure continuous compliance with GDPR regulations.
By following these steps, you can ensure that a log metric filter and alarm are properly set up to monitor the usage of the 'root' account in compliance with GDPR regulations.