CloudWatch log metric filter and alarm for Management Console authentication failures should be configured


A CloudWatch metric filter and alarm should be established for failed console authentication attempts. Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in correlating other events.

Console Remediation Steps

This is a two part process. First, you create the Metric Filter. Next, you create a CloudWatch alarm. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.

  • Create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation pane, select Logs.

    • Select the log group you created for the CloudTrail Log events.

    • Click Create Metric Filter.

    • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }

    • Choose Assign Metric.

    • For Filter Name, type ConsoleSignInFailures.

    • For Metric Namespace, type CloudTrailMetrics.

    • For Metric Name, type ConsoleSignInFailureCount.

    • Choose Show advanced metric settings.

    • For Metric Value, type 1.

    • Choose Create Filter.

  • Create an Alarm:

    • On the Filters for Log_Group_Name page, click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • In Name, enter Console Sign In Failures.

      • In Whenever, enter is >= 3 for 1 consecutive period.

      • From the period drop-down, select 5 minutes.

      • From the Statistic drop-down, select Sum.

      • In the Actions section, in the Send notification to field, select New List and enter a unique name for it.

      • In Email List, type the email address to which you want notifications sent.

    • Click Create Alarm.

CLI Remediation Steps