Ensure a Log Metric Filter and Alarm Exist for Usage of 'root' Account Rule
This rule ensures the presence of a log metric filter and alarm for 'root' account usage.
| Rule | Ensure a log metric filter and alarm exist for usage of 'root' account |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm are in place to monitor the usage of the 'root' account, as per the guidelines specified in the NIST Cybersecurity Framework (CSF) v1.
Troubleshooting Steps:
- 1.Check if the log metric filter exists for the 'root' account.
- 2.Verify if the log metric filter is correctly configured to capture 'root' account usage.
- 3.Ensure that the alarm is set up properly to trigger an alert when 'root' account usage is detected.
- 4.Check the integration between the log metric filter and the alarm to ensure they are properly associated.
- 5.Validate if the alarm's notification settings are configured correctly to notify the appropriate stakeholders when triggered.
Necessary Codes:
- 1.Log Metric Filter:
{ "FilterName": "RootAccountUsage", "FilterPattern": "Account: root", "FilterPatternSpace": " " }
- 1.Alarm Configuration:
{ "AlarmName": "RootAccountUsageAlarm", "MetricName": "RootAccountUsage", "Namespace": "AWS/Logs", "Statistic": "Sum", "Threshold": 1, "ComparisonOperator": "GreaterThanThreshold", "Dimensions": [ { "Name": "Account", "Value": "root" } ], "EvaluationPeriods": 1, "Period": 300, "AlarmActions": [ "arn:aws:sns:us-east-1:123456789012:RootAccountUsageNotification" ], "AlarmDescription": "Alarm triggered when 'root' account is used.", "TreatMissingData": "missing" }
Step-by-Step Remediation Guide:
- 1.
Create a log metric filter:
- Go to the AWS Management Console.
- Navigate to the CloudWatch service.
- Select "Log groups" from the left-hand menu.
- Choose the appropriate log group where AWS API logs are stored.
- Click on the "Create metric filter" button.
- Enter a filter pattern that captures 'root' account usage, such as
in the filter pattern field.Account: root - Ensure the filter pattern space is set to " ".
- Provide a filter name, e.g., "RootAccountUsage".
- Click on the "Create filter" button to save the log metric filter.
- 2.
Configure an alarm:
- Stay in the CloudWatch service.
- Go to "Alarms" in the left-hand menu.
- Click on the "Create alarm" button.
- Select "Select metric" under the "Create Alarm" tab.
- Choose the appropriate log group from the "Browse" section.
- Select the log metric filter with the name "RootAccountUsage" from the list.
- Configure the alarm threshold, e.g., set it to 1.
- Set the evaluation period to 1.
- Choose a period of 300 (or as per your preference).
- Provide an alarm name, e.g., "RootAccountUsageAlarm".
- Add an appropriate alarm description for better understanding.
- Configure the alarm actions to notify the relevant stakeholders via SNS or any other preferred method.
- Ensure the "Treat missing data as" option is set to "missing".
- Click on the "Create alarm" button to save the alarm configuration.
- 3.
Validate setup:
- To ensure the log metric filter and alarm are correctly configured, attempt to use the 'root' account.
- Wait for the evaluation period specified in the alarm configuration.
- Check if an alert is triggered and the appropriate stakeholders are notified.
- Verify that the alarm produces the desired result and functions as expected.
By following the above steps, you can ensure that a log metric filter and alarm exist to monitor the usage of the 'root' account in accordance with the NIST Cybersecurity Framework (CSF) v1.