Profile Applicability
Level 1
Description:
Monitoring AWS Management Console authentication failures is essential to detect potential security incidents or unauthorized access attempts. These failed authentication events indicate suspicious behavior, such as brute force attacks or credential misuse, and should be reviewed regularly to ensure that security controls are effective.
CloudTrail logs AWS Management Console authentication failures, such as invalid login attempts, and they can be monitored to detect unusual patterns of activity that could indicate a security breach.
Rationale:
Authentication failures are a clear indicator of potential security risks, including:
Brute force attacks where an attacker attempts to guess passwords or use stolen credentials.
Misconfigurations or attempts to access AWS resources with incorrect credentials.
Abuse of credentials for unauthorized access attempts.
By monitoring and reviewing failed login attempts, organizations can detect potential security threats early and take corrective action.
Impact:
Failure to monitor AWS Management Console authentication failures can lead to:
Lack of visibility into suspicious activity.
Delayed detection of unauthorized access attempts.
Increased risk of a security breach or successful attack.
Monitoring authentication failures helps identify and mitigate security risks, ensuring that login attempts are legitimate and not part of a malicious attack.
Default Value:
By default, AWS CloudTrail records all API calls, including failed login attempts to the AWS Management Console. However, AWS Config does not automatically monitor these events, and specific configurations are needed to track and alert on failed authentication attempts.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
cloudtrail:LookupEvents
cloudwatch:PutMetricData
cloudwatch:DescribeAlarms
AWS CloudTrail should be enabled for logging authentication failures
AWS CloudWatch should be configured to monitor failed login events
Remediation:
Test Plan:
Using AWS Console:
Go to the CloudTrail Console.
Verify that CloudTrail is logging events for AWS Management Console authentication failures, such as ConsoleLogin events.
Go to the CloudWatch Console to check if any CloudWatch metrics or alarms are set up to monitor failed login attempts.
Using AWS CLI:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --query "Events[?ResponseElements.ConsoleLogin=='Failure']" --output table
To check CloudWatch for failed authentication alarms:
aws cloudwatch describe-alarms --query "MetricAlarms[?AlarmName=='FailedConsoleLoginAlarm']" --output table
Implementation Plan:
Using AWS Console:
Verify CloudTrail logging for Console authentication failures:
Go to the CloudTrail Console.
Ensure that Management Events are enabled to capture ConsoleLogin events, including failed login attempts.
Ensure that logs are stored in an S3 bucket for long-term access and compliance.
Set up CloudWatch metrics and alarms for failed console login attempts:
Go to the CloudWatch Console.
Set up a custom CloudWatch metric filter to track failed ConsoleLogin events.
Create a CloudWatch alarm that triggers when the number of failed login attempts exceeds a threshold.
Using AWS CLI:
Verify CloudTrail logging for authentication failures:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin --query "Events[?ResponseElements.ConsoleLogin=='Failure']" --output table
Create CloudWatch metrics and alarms:
aws cloudwatch put-metric-alarm --alarm-name "FailedConsoleLoginAlarm" --metric-name "ConsoleLoginFailures" --namespace "AWS/CloudTrail" --statistic "Sum" --period 300 --threshold 5 --comparison-operator "GreaterThanOrEqualToThreshold" --evaluation-periods 1 --actions-enabled
Backout Plan:
Using AWS Console:
If monitoring authentication failures creates excessive alarms or logs:
Go to the CloudWatch Console.
Disable or adjust the CloudWatch alarm for failed logins to a higher threshold.
Modify the CloudTrail logging configuration to log fewer events or exclude non-critical authentication failures.
Disable CloudTrail logging for Console login failures if it leads to unnecessary resource usage:
Go to the CloudTrail Console, and modify the trail to stop logging ConsoleLogin events.
Using AWS CLI:
Temporarily disable CloudWatch alarms:
aws cloudwatch disable-alarm-actions --alarm-name "FailedConsoleLoginAlarm"
Stop logging authentication failures in CloudTrail:
aws cloudtrail update-trail --name <trail-name> --no-log-console-login
Re-enable monitoring once issues are resolved:
aws cloudwatch enable-alarm-actions --alarm-name "FailedConsoleLoginAlarm"