CloudWatch log metric filter and alarm for Management Console authentication failures should be configured¶
Description¶
A CloudWatch metric filter and alarm should be established for failed console authentication attempts. Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in correlating other events.
Console Remediation Steps¶
This is a two part process. First, you create the Metric Filter. Next, you create a CloudWatch alarm. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.
Step 1: To create the Metric Filter:
Navigate to CloudWatch.
In the left navigation, click Log Groups and select the desired log group.
Select Metric filters > Create Metric Filter.
In Filter pattern, enter the following:
{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }
Click Next.
For Filter name, type ConsoleSignInFailures.
For Metric namespace, type CloudTrailMetrics.
For Metric name, type ConsoleSignInFailureCount.
For Metric value, type 1.
Click Next > Create metric filter.
Step 2: To create an Alarm:
Check the newly created metric filter and click Create alarm.
Select the Threshold type.
Define the alarm condition and threshold value.
Click Next.
In Alarm state trigger, select In alarm.
Select an existing SNS topic, create new topic, or use topic ARN.
If you selected to create a new topic, enter a name in Create a new topic.
Enter an email address in Email endpoints that will receive the notification.
Click Create topic.
Click Next.
Enter an Alarm name.
Optionally, enter an alarm description.
Click Next > Create alarm.
CLI Remediation Steps¶
This is a two part process. First, you create the Metric Filter and next you create the Metric Alarm.
Create the Metric Filter.
Create the Metric Alarm.