Overview
A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures.
Prerequisites: This Alarm requires CloudTrail enabled, with events sent to a CloudWatch Log Group. See Related Configuration Items for configuration to enable CloudTrail/CloudWatch, or enter the CloudWatch Log Group name under the Metric Filter Configuration section.
Configuration Templates
Items
3
Size
1.2 KB
Missing Parameters
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
SnsTopic:
Type: 'AWS::SNS::Topic'
Properties:
Subscription:
- Endpoint: email@example.com
Protocol: email
TopicName: alarm-action
CloudWatchAlarm:
Type: 'AWS::CloudWatch::Alarm'
Properties:
AlarmName: failed_console_logins
AlarmDescription: >-
A CloudWatch Alarm that triggers if there are AWS Management Console
authentication failures.
MetricName: ConsoleLoginFailures
Namespace: CloudTrailMetrics
Statistic: Sum
Period: '300'
EvaluationPeriods: '1'
Threshold: '1'
ComparisonOperator: GreaterThanOrEqualToThreshold
AlarmActions:
- Ref: SnsTopic
TreatMissingData: notBreaching
MetricFilter:
Type: 'AWS::Logs::MetricFilter'
Properties:
LogGroupName: ''
FilterPattern: >-
{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed
authentication") }
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: ConsoleLoginFailures
Parameters: {}
Metadata: {}
Conditions: {}
Actions
Configure Action
Metric Filter Configuration
Alarm Configuration
Sources and Documentation
Configuration Source: AWS Quickstart
Additional Documentation:
- AWS Documentation: Create a CloudWatch alarm, and create log metric filters.
- AWS Documentation: AWS CloudWatch Alarm Overview
- CloudFormation Reference Guide: Create a CloudWatch Alarm and a Log Metric Filter.
- AWS CLI Command Reference Guide: Create a CloudWatch Alarm and a Log Metric Filter.