AWS-Monitoring-Console-Auth-Failure-Log-Metric
- naveen
Severity : Medium
Description: This control checks if CloudWatch alarm exists for cloud trail events to monitor management console authentication failures. Real-time monitoring can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in another event correlation. It is recommended that a metric filter and alarm be established for failed console authentication attempts..
Remediation Steps:
Perform following to configure monitoring for console login auth failures :
Create the cloud trail for console login auth failures
Login to the AWS Management Console at https://console.aws.amazon.com
Go to CloudTrail in services
On Trails section of the Dashboard , choose Create trail.
For Trail name, type a name.
For organization trail, choose to enable the trail for all accounts in organization.
For Storage location, choose Create new S3 bucket or Use existing S3 bucket. if using existing bucket, specify a bucket in Trail log bucket name,
Create a folder and Enter the folder name in Prefix. This helps organize logs in bucket.
For Log file SSE-KMS encryption, choose Enabled.
In Additional settings, For Log file validation, choose Enabled.
Configure CloudTrail to send log files to CloudWatch Logs by choosing Enabled in CloudWatch Logs.
For Tags, add one or more custom tags.
On the Choose log events, In Management events for API activity, choose if to log Read events and Write events both.
Choose Next.
Choose Create trail.
Create a metric filter for the console login auth failures
Go to CloudWatch in services.
In the navigation, choose Logs.
In the list of log groups, choose the log group that was created for CloudTrail log events above.
Choose Actions, and then choose Create metric filter.
On the Define pattern page, in Create filter pattern, enter the following for Filter pattern.
{($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication")}
In Test pattern, leave defaults. Choose Next.
On the Assign metric page, for Filter name, enter console_auth_fail_metric.
In Metric details, turn on Create new, and enter CISBenchmark for Metric namespace. For Metric name, Enter ConsoleAuthFailMetric, For Metric value, type 1, Leave Default value blank.
Choose Next.
Choose Create metric filter to create the filter.
Create an alarm for log Event for console login auth failures
On the Metric filters tab, find the metric filter.
Check the box for the metric filter.
In the Metric filters, choose Create alarm.
On the Create Alarm, Enter following in Specify metric and conditions
1 for Graph
Sum for Statistic
5 minute for Period.
In Conditions, for Threshold type, choose Static.
1 for Threshold. In Additional Settings section, for Treat missing data as drop-down list, select missing.
Choose Next.
On the Configure actions, choose In alarm for in alarm state
For Select an SNS topic, choose Create new.
For SNS topic name, enter ConsoleAuthFailAlarmTopic.
For Email endpoints that will receive the notification, enter email addresses of users who want to receive notifications.
Choose Create topic.
Choose Next.
On the Add name and description, enter alarm name and description.
Choose Next.
On the Preview and create, choose Create alarm.
Important:
Reference:
CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #4.14
Blue Hexagon Proprietary