AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CloudWatchAlarm:
    Type: 'AWS::CloudWatch::Alarm'
    Properties:
      AlarmName: failed_console_logins
      AlarmDescription: >-
        A CloudWatch Alarm that triggers if there are AWS Management Console
        authentication failures.
      MetricName: ConsoleLoginFailures
      Namespace: CloudTrailMetrics
      Statistic: Sum
      Period: '300'
      EvaluationPeriods: '1'
      Threshold: '1'
      ComparisonOperator: GreaterThanOrEqualToThreshold
      AlarmActions:
        - ''
      TreatMissingData: notBreaching
  MetricFilter:
    Type: 'AWS::Logs::MetricFilter'
    Properties:
      LogGroupName: ''
      FilterPattern: >-
        { ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed
        authentication") }
      MetricTransformations:
        - MetricValue: '1'
          MetricNamespace: CloudTrailMetrics
          MetricName: ConsoleLoginFailures
Parameters: {}
Metadata: {}
Conditions: {}