Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm exist for usage of 'root' account

In this rule, it is required to have a log metric filter and alarm for the 'root' account to ensure proper monitoring.

RuleEnsure a log metric filter and alarm exist for usage of 'root' account
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Low

Rule Description

To comply with the NIST Cybersecurity Framework (CSF) v1, it is important to have a log metric filter and alarm in place to monitor the usage of the 'root' account on your system. The 'root' account has the highest level of privileges and should be closely monitored to detect any unauthorized or suspicious activities.

Troubleshooting Steps

If you encounter any issues while implementing this rule, you can follow these troubleshooting steps:

  1. 1.

    Verify IAM Permissions: Ensure that the IAM user or role you are using to set up the log metric filter and alarm has the necessary permissions to create and modify CloudWatch resources.

  2. 2.

    Check Log Group Configuration: Confirm that the log group you are targeting for the log metric filter and alarm is correctly configured and receiving the appropriate log data.

  3. 3.

    Validate Filter Pattern: Double-check the filter pattern used in the log metric filter. Make sure it accurately captures the log events related to the 'root' account usage. You can test the filter pattern using the CloudWatch Logs console or command-line tools.

  4. 4.

    Verify Alarm Settings: Review the alarm settings and ensure they are configured correctly. Verify the threshold, period, and actions taken when the alarm is triggered.

  5. 5.

    Check CloudWatch Logs Agent: If you are using a CloudWatch Logs agent on your instances, verify that it is properly installed, configured, and sending the desired logs to CloudWatch Logs.

Necessary Codes

Here is an example of the necessary code to set up the log metric filter and alarm using the AWS Command Line Interface (CLI):

  1. 1.
    Create a Log Metric Filter:
aws logs put-metric-filter --log-group-name [LOG_GROUP_NAME] --filter-name RootAccountFilter --filter-pattern "{ $.userIdentity.type = Root }" --metric-transformations metricName=RootAccountUsage,metricNamespace=[NAMESPACE],metricValue=1 --region [REGION]
  • Replace [LOG_GROUP_NAME] with the name of the log group to which you want to apply this filter.
  • Replace [NAMESPACE] with the preferred namespace for the metric (e.g., "NIST-CSF-v1").
  • Replace [REGION] with the AWS region where your log group exists.
  1. 1.
    Create an Alarm for the Metric:
aws cloudwatch put-metric-alarm --alarm-name RootAccountUsageAlarm --alarm-description "Alarm for detecting 'root' account usage" --metric-name RootAccountUsage --namespace [NAMESPACE] --statistic SampleCount --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --alarm-actions [ACTION_ARN] --evaluation-periods 1 --region [REGION]
  • Replace [NAMESPACE] with the same namespace used in the log metric filter.
  • Replace [ACTION_ARN] with the appropriate ARN for the notification or action to be triggered when the alarm is activated.
  • Replace [REGION] with the AWS region where you want to create the alarm.

Step-by-Step Remediation

Follow these steps to implement the log metric filter and alarm for monitoring the usage of the 'root' account:

  1. 1.

    Open the AWS Command Line Interface (CLI) or terminal.

  2. 2.

    Create a log metric filter by executing the following command:

aws logs put-metric-filter --log-group-name [LOG_GROUP_NAME] --filter-name RootAccountFilter --filter-pattern "{ $.userIdentity.type = Root }" --metric-transformations metricName=RootAccountUsage,metricNamespace=[NAMESPACE],metricValue=1 --region [REGION]
  1. 1.

    Replace [LOG_GROUP_NAME] with the name of the log group you want to monitor. Replace [NAMESPACE] with your preferred namespace for the metric (e.g., "NIST-CSF-v1"). Replace [REGION] with the AWS region where your log group exists.

  2. 2.

    Execute the command to create an alarm for the metric:

aws cloudwatch put-metric-alarm --alarm-name RootAccountUsageAlarm --alarm-description "Alarm for detecting 'root' account usage" --metric-name RootAccountUsage --namespace [NAMESPACE] --statistic SampleCount --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --alarm-actions [ACTION_ARN] --evaluation-periods 1 --region [REGION]
  1. 1.

    Replace [NAMESPACE] with the same namespace used in the log metric filter. Replace [ACTION_ARN] with the appropriate ARN for the notification or action to be triggered when the alarm is activated. Replace [REGION] with the AWS region where you want to create the alarm.

  2. 2.

    Verify that the log metric filter and alarm are successfully created by checking the CloudWatch console or by executing the respective CLI commands:

aws logs describe-metric-filters --log-group-name [LOG_GROUP_NAME] --region [REGION]
aws cloudwatch describe-alarms --alarm-names RootAccountUsageAlarm --region [REGION]

By following these steps, you have successfully implemented a log metric filter and alarm to monitor the usage of the 'root' account on your system, ensuring compliance with the NIST Cybersecurity Framework (CSF) v1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now