TF 0475 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | cloudwatch |
| Provider | AWS |
Description
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
CIS recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations.
Resolution
Create an alarm to alert on console login failures