iCompaas Support

Profile Applicability:

Level 2

Description:

AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. This control ensures that failed AWS Management Console login attempts are monitored, providing early detection of brute-force attacks, unauthorized access attempts, or credential stuffing.

AWS Management Console Authentication Failure

• The event is logged in CloudTrail when a user fails to authenticate using the AWS Console.

• The event is identified using ConsoleLogin with Failed authentication.

• Monitoring this helps detect and investigate failed login attempts and take action.

Rationale:

Monitoring failed authentication attempts helps:

• Detect brute-force login attempts before an account is compromised.

• Identify unauthorized access attempts to the AWS Management Console.

• Improve incident response by alerting security teams of unusual login patterns.

• Enhance compliance with SOC 2, HIPAA, PCI DSS, and GDPR.

Impact:

• Monitoring failed logins can generate a high volume of alerts.

• Threshold-based filtering may be required to reduce noise.

• CloudWatch Logs and SNS notifications must be configured manually.

Default Value:

• AWS does not monitor failed console logins by default.

• CloudTrail logs these events, but CloudWatch Alarms and SNS notifications must be configured.

Pre-Requisites:

1. AWS CloudTrail enabled with multi-region logging.

2. AWS CloudWatch Logs enabled and linked to CloudTrail.

3. IAM Permissions Required:

   • cloudtrail:DescribeTrails

   • cloudtrail:GetEventSelectors

   • logs:DescribeMetricFilters

   • cloudwatch:DescribeAlarms

   • sns:ListSubscriptionsByTopic

   • logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic

Remediation

Test Plan:

Using AWS Console

1. Login to the AWS Management Console.

2. Navigate to CloudTrail: AWS CloudTrail Console.
   
   
   
   

3. Verify there is at least one multi-region CloudTrail trail enabled.

4. Ensure CloudTrail is logging management events:

   • Click on the trail and check Event Selectors.
     
     
     
     

   • Ensure management events are set to "All".
     
     
     
     

5. Check that CloudTrail logs are being sent to CloudWatch.

6. Navigate to CloudWatch Logs: AWS CloudWatch Console.
   
   
   
   

7. Ensure that a metric filter is created for console authentication failures.

8. Check CloudWatch Alarms for alerts on console login failures.
   
   

Implementation Steps:
Using AWS CLI

Step 1: Create a Metric Filter for Console Authentication Failures

aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name console-signin-failure-metric \
--metric-transformations metricName=console-signin-failure-metric,metricNamespace="CISBenchmark",metricValue=1 \
--filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }'

aws sns create-topic --name console-signin-failure-alerts

Step 3: Subscribe to SNS Topic

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>

Step 4: Create a CloudWatch Alarm for Console Authentication Failures

aws cloudwatch put-metric-alarm --alarm-name console-signin-failure-alarm \
--metric-name console-signin-failure-metric --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>

Backout Plan:

1. Delete CloudWatch Alarm:

   aws cloudwatch delete-alarms --alarm-names console-signin-failure-alarm
   
   

2. Remove the metric filter:

   aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name console-signin-failure-metric
   
   

3. Delete SNS topic:

   aws sns delete-topic --topic-arn <sns-topic-arn>

References:

• AWS CloudTrail Monitoring with CloudWatch

• AWS IAM Best Practices

CIS Controls Mapping: