Ensure a Log Metric Filter and Alarm Exist for AWS Management Console Authentication Failures

Rule Description:

Troubleshooting Steps (if any):

2. 1.

   Verify IAM Permissions: Ensure that the IAM user or role used to configure the log metric filter and alarm has sufficient permissions to access CloudWatch Logs and create alarms. Make sure the necessary IAM policies, such as CloudWatchLogsFullAccess and CloudWatchFullAccess, are attached to the user or role.

4. 2.

   Check CloudTrail Configuration: Confirm that AWS CloudTrail is enabled and properly configured to capture and deliver Management Console events to CloudWatch Logs. Check the CloudTrail settings and verify that the log delivery is functioning correctly.

6. 3.

   Review Log Metric Filter Pattern: Ensure that the log metric filter pattern is correctly defined to match authentication failures for the Management Console. The pattern should include specific keywords or patterns associated with failed login attempts or authentication errors.

8. 4.

   Validate Alarm Configuration: Double-check the alarm configuration to confirm that the threshold, notification targets, and actions are appropriately set. Ensure that the alarm triggers when the specified number of authentication failures occurs within a defined duration.

Necessary Codes (if any):

Step-by-Step Guide for Remediation:

2. 1.

   Open the AWS Management Console and navigate to the CloudWatch service.

4. 2.

   In the CloudWatch dashboard, select "Logs" from the navigation pane.

6. 3.

   Locate the log group associated with AWS Management Console authentication, typically found under the "/aws/management-console" prefix.

8. 4.

   Click on the log group name to view the log streams.

10. 5.

    Verify that log streams exist and include authentication-related logs.

12. 6.

    If no log streams are present, ensure that AWS CloudTrail is correctly configured and delivering Management Console events to CloudWatch Logs.

14. 7.

    To create a log metric filter, select the log group and click on the "Create Metric Filter" button.

16. 8.

    Define the filter pattern to match authentication failures. This pattern might include phrases such as "Failed authentication" or error codes associated with login failures.

18. 9.

    Specify the filter pattern details, metric namespace, and metric name.

20. 10.

    Click on "Create Filter" to save the log metric filter.

22. 11.

    To configure an alarm for the log metric filter, go to the CloudWatch dashboard and select "Alarms" from the navigation pane.

24. 12.

    Click on the "Create Alarm" button to create a new alarm.

26. 13.

    Choose the "Select metric" button, and in the filter text box, search for the log metric filter created in the previous step.

28. 14.

    Select the appropriate log metric filter from the search results.

30. 15.

    Configure the alarm threshold, specifying the number of authentication failures within a defined period that should trigger the alarm.

32. 16.

    Set the alarm actions, such as sending a notification to an SNS topic or performing automated actions using an AWS Lambda function.

34. 17.

    Review the alarm configuration and click on "Create Alarm" to save the alarm.

36. 18.

    Validate that the log metric filter and alarm are functioning as expected by simulating an authentication failure in the AWS Management Console and verifying the alarm triggers and sends the appropriate notifications.