Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

This rule ensures presence of log metric filter and alarm for AWS Management Console authentication failures.

RuleEnsure a log metric filter and alarm exist for AWS Management Console authentication failures
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description:

This rule ensures that a log metric filter and alarm are in place to monitor AWS Management Console authentication failures, as outlined in the NIST Cybersecurity Framework (CSF) version 1. The log metric filter and alarm help identify and respond to any unauthorized access attempts or potential security breaches in the AWS Management Console.

Troubleshooting Steps:

  2. 1.
    Ensure that CloudTrail is enabled in the AWS account.
  4. 2.
    Verify that the appropriate permissions are assigned to access and manage CloudTrail.
  6. 3.
    Check the AWS Identity and Access Management (IAM) policies to ensure that the necessary permissions are granted for log metric filters and alarms.
  8. 4.
    Confirm that the log metric filter and alarm are set up correctly with the required parameters.

Necessary Code:

No specific code snippet is provided for this rule as it requires configuration settings within AWS CloudTrail and CloudWatch.

Step-by-Step Guide for Remediation:

  2. 1.
    Open the AWS Management Console and navigate to the AWS CloudTrail service.
  4. 2.
    Ensure that CloudTrail is enabled for the AWS account by checking the trail status.
  6. 3.
    If CloudTrail is not enabled, click on the "Trails" menu on the left-hand side and create a new trail.
  8. 4.
    Configure the trail settings according to your requirements, making sure to include logging for AWS Management Console events.
  10. 5.
    Once the trail is created, go to the AWS CloudWatch service.
  12. 6.
    Click on the "Log groups" menu on the left-hand side and search for the log group associated with AWS Management Console events.
  14. 7.
    Select the appropriate log group and click on "Create Metric Filter."
  16. 8.
    Configure the metric filter pattern to identify AWS Management Console authentication failures.
  18. 9.
    Enable the filter to create a corresponding metric for failed authentication events.
  20. 10.
    Set the desired metric filter name and choose a metric namespace.
  22. 11.
    Select an existing metric alarm or create a new alarm.
  24. 12.
    Configure the alarm threshold, actions, and notification settings as needed.
  26. 13.
    Save the changes and verify that the log metric filter and alarm are successfully created.
  28. 14.
    Test the log metric filter and alarm by intentionally entering incorrect credentials into the AWS Management Console and verify if the alarm is triggered and notifications are received.

By following these steps, you will ensure that a log metric filter and alarm are in place to monitor AWS Management Console authentication failures, aligned with the NIST Cybersecurity Framework (CSF) version 1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now