Profile Applicability:
Level 2
Description:
AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. This control ensures that failed AWS Management Console login attempts are monitored, providing early detection of brute-force attacks, unauthorized access attempts, or credential stuffing.
AWS Management Console Authentication Failure
The event is logged in CloudTrail when a user fails to authenticate using the AWS Console.
The event is identified using ConsoleLogin with Failed authentication.
Monitoring this helps detect and investigate failed login attempts and take action.
Rationale:
Monitoring failed authentication attempts helps:
Detect brute-force login attempts before an account is compromised.
Identify unauthorized access attempts to the AWS Management Console.
Improve incident response by alerting security teams of unusual login patterns.
Enhance compliance with SOC 2, HIPAA, PCI DSS, and GDPR.
Impact:
Monitoring failed logins can generate a high volume of alerts.
Threshold-based filtering may be required to reduce noise.
CloudWatch Logs and SNS notifications must be configured manually.
Default Value:
AWS does not monitor failed console logins by default.
CloudTrail logs these events, but CloudWatch Alarms and SNS notifications must be configured.
Pre-Requisites:
AWS CloudTrail enabled with multi-region logging.
AWS CloudWatch Logs enabled and linked to CloudTrail.
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
logs:DescribeMetricFilters
cloudwatch:DescribeAlarms
sns:ListSubscriptionsByTopic
logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic
Remediation
Test Plan:
Using AWS Console
Login to the AWS Management Console.
Navigate to CloudTrail: AWS CloudTrail Console.
Verify there is at least one multi-region CloudTrail trail enabled.
Ensure CloudTrail is logging management events:
Click on the trail and check Event Selectors.
Ensure management events are set to "All".
Check that CloudTrail logs are being sent to CloudWatch.
Navigate to CloudWatch Logs: AWS CloudWatch Console.
Ensure that a metric filter is created for console authentication failures.
Check CloudWatch Alarms for alerts on console login failures.
Implementation Steps:
Using AWS CLI
Step 1: Create a Metric Filter for Console Authentication Failures
aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name console-signin-failure-metric \
--metric-transformations metricName=console-signin-failure-metric,metricNamespace="CISBenchmark",metricValue=1 \
--filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }'Step 2: Create an SNS Topic for Notifications
aws sns create-topic --name console-signin-failure-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <[email protected]>
Step 4: Create a CloudWatch Alarm for Console Authentication Failures
aws cloudwatch put-metric-alarm --alarm-name console-signin-failure-alarm \ --metric-name console-signin-failure-metric --statistic Sum --period 300 \ --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>
Backout Plan:
Delete CloudWatch Alarm:
aws cloudwatch delete-alarms --alarm-names console-signin-failure-alarm
Remove the metric filter:
aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name console-signin-failure-metric
Delete SNS topic:
aws sns delete-topic --topic-arn <sns-topic-arn>