Profile Applicability:

  • Level 1


Description:
This control ensures that AWS CloudTrail log data is monitored for authentication failures in the AWS Management Console. A CloudWatch metric filter and alarm should be created to detect and alert on console login failures. This allows organizations to respond quickly to potential unauthorized access attempts or account compromise.


Rationale:

Monitoring authentication failures helps identify brute-force attacks, misconfigured credentials, or unauthorized access attempts. By setting up log metric filters and corresponding alarms, security teams are alerted immediately when multiple login failures occur, reducing response time and mitigating potential security risks.


Impact:

  • Positive Impact: Enhances security visibility by identifying unauthorized access attempts promptly and improving incident response readiness.
  • Negative Impact: Slight increase in CloudWatch costs due to log monitoring and metric storage.


Default Value:
By default, AWS does not create a metric filter or alarm for Management Console login failures. Manual configuration is required.


Pre-Requisite:

  • CloudTrail must be enabled for all regions.
  • CloudTrail logs must be delivered to a CloudWatch Logs group.
  • IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudWatch → Logs → Log groups.
  3. Locate the CloudTrail log group (usually named /aws/cloudtrail/...).
  4. Select Create metric filter.
  5. Enter the following filter pattern to detect failed console logins:
  6. Assign a metric name such as ConsoleLoginFailures.
  7. Create an alarm for the metric under CloudWatch → Alarms → Create alarm.
  8. Set a threshold (e.g., >= 1 occurrence in 5 minutes) and configure SNS notifications to alert the security team.
  9. Save the configuration.


Implementation Steps

Using AWS Console:

  1. Go to CloudWatch → Logs → Log groups.
  2. Open the CloudTrail log group.
  3. Choose Create metric filter and use the pattern:
  4. Set Metric Name: ConsoleLoginFailures.
  5. Create an Alarm:
    • Metric: ConsoleLoginFailures
    • Namespace: CISBenchmark
    • Condition: >= 1 in 5 minutes
    • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)
  6. Save all changes.

Backout Plan

Using AWS Console:

Go to CloudWatch → Alarms.

Select the ConsoleLoginFailuresAlarm.

Choose Actions → Delete.

Go to Logs → Metric Filters.

Delete the ConsoleLoginFailures filter.

References: