A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures.
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CloudWatchAlarm:
Type: 'AWS::CloudWatch::Alarm'
Properties:
AlarmName: failed_console_logins
AlarmDescription: >-
A CloudWatch Alarm that triggers if there are AWS Management Console
authentication failures.
MetricName: ConsoleLoginFailures
Namespace: CloudTrailMetrics
Statistic: Sum
Period: '300'
EvaluationPeriods: '1'
Threshold: '1'
ComparisonOperator: GreaterThanOrEqualToThreshold
AlarmActions:
- ''
TreatMissingData: notBreaching
MetricFilter:
Type: 'AWS::Logs::MetricFilter'
Properties:
LogGroupName: ''
FilterPattern: >-
{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed
authentication") }
MetricTransformations:
- MetricValue: '1'
MetricNamespace: CloudTrailMetrics
MetricName: ConsoleLoginFailures
Parameters: {}
Metadata: {}
Conditions: {}