AWS Console Sign in Failure Alarms

It might be a good idea to be aware of sign-in failures for you AWS Production Accounts. With help of cloud trail and cloud watch, Administrators can be alarmed (via email or sms) in timely manner in case of repeated sign-in failures within short duration. Administrators can then access the situation and take action if required. Setting up MFA is also highly recommended, especially for Production AWS Accounts.
Following are steps to create alarm using cloud trail, cloud watch, filters and SNS.
  1. Log into AWS Management console and goto 'Cloud Trails' Dashboard. Enter trail name, select to apply for all regions, and then enter name of bucket where logs will be stored. Click 'Create Trail' and trail should be created. 
  2. Navigate to Trails Dashboard and click the newly created trail. Look for heading 'CloudWatch Logs' and enter name of the cloud watch log group where cloud trail will send the logs. If cloud watch log group does not exist yet, then you can create new group here by just entering the name of new group. Click Next on permissions screen. Confirm on 'Cloud Watch' dashboard that log group has been created. 
  3. Create SNS topic. This is the topic which will receive notification when failed sign-in attempts are logged. Administrators can subscribe to this topic and can receive emails when notification arrives. Navigate to SNS Dashboard and create a new topic. Enter name of topic 'SigninFailureSNS' and then create Email Subscriptions. 
  4. Navigate to CloudWatch Dashboard. Select the log group that you created while defining cloud trail. Select 'Create Metric Filter Button'. Enter following string as Filter Pattern:
    { ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }
    Click Next.
  5. Enter Metric namespace (Select existing or create a new one). Enter Metric name such as 'ConsoleSigninFailure' and then Create Filter. Your filter has been created. On this screen, click 'create alarm' link. 
  6. Enter alarm name e.g. 'ProdSignInFailure'. From Actions, enter ARN of SNS topic created earlier. And then click 'Create Alarm' button. 
  7. Your alarm has been created and now administrators can receive email whenever failed login attempts are recorded. 


Popular posts from this blog

Practice Questions - AWS Solutions Architect - Associate Certification

AWS: Increase Connection Timeout

AWS Parameter Store