Monitoring and promptly reacting to log-in or authorization failures is crucial for maintaining the security of your AWS environment. AWS offers a seamless way to achieve this by integrating AWS CloudTrail, CloudWatch Logs, CloudWatch Alarms, and SNS. This blog post will walk you through setting up notifications for login and authorization failures.

Step-by-Step Guide

1. Enable AWS CloudTrail

AWS CloudTrail records all AWS account activity, including login attempts and authorization events.

  • Create a Trail:
    1. Go to the CloudTrail console.
    2. Click on “Create trail.”
    3. Provide a name for your trail.
    4. Select “Yes” to apply the trail to all regions.
    5. Specify an S3 bucket to store the logs.
    6. Enable log file validation for added security.
    7. Click “Create trail.”

2. Create a CloudWatch Log Group

CloudTrail logs can be sent to CloudWatch Logs for further analysis.

  • Set Up a Log Group:
    1. Go to the CloudTrail console.
    2. Select your trail.
    3. Under “CloudWatch Logs,” click “Configure.”
    4. Create a new log group or choose an existing one.
    5. Click “Continue” to start sending logs to CloudWatch.

3. Create a Metric Filter for Failed Logins

Next, we must create a metric filter to identify failed login attempts from the CloudWatch Logs.

  • Set Up Metric Filter:
    1. Go to the CloudWatch console.
    2. Click on “Logs” and select your log group.
    3. Click on “Create metric filter.”

Define a filter pattern. For example, to capture failed login attempts, you can use the following pattern:

{ ($.eventName = ConsoleLogin) && ($.errorMessage = “Failed authentication”) }

  2. Assign a name to the filter and choose the namespace and metric name.
  3. Click “Create filter.”

4. Create a CloudWatch Alarm

Create a CloudWatch Alarm to trigger notifications based on the metric filter.

  • Set Up Alarm:
    1. Go to the CloudWatch console.
    2. Click on “Alarms” and then “Create alarm.”
    3. Select the metric you created in the previous step.
    4. Define the threshold for the alarm. For example, set it to trigger if there are more than one failed login attempts in a 5-minute period.
    5. Configure actions to be taken when the alarm state is triggered.

5. Create an SNS Topic for Notifications

SNS (Simple Notification Service) will send notifications when the alarm is triggered.

  • Set Up SNS Topic:
    1. Go to the SNS console.
    2. Click on “Topics” and then “Create topic.”
    3. Provide a name for your topic.
    4. Click “Create topic.”
  • Subscribe to the Topic:
    1. Click on your topic.
    2. Click “Create subscription.”
    3. Choose the protocol (e.g., Email) and provide the endpoint (e.g., your email address).
    4. Click “Create subscription.”

6. Link CloudWatch Alarm to SNS Topic

Finally, configure the CloudWatch Alarm to send notifications to the SNS topic.

  • Link Alarm to SNS:
    1. Go back to your CloudWatch Alarm.
    2. Under “Actions,” click “Add action.”
    3. Select “Send notification to an SNS topic.”
    4. Choose the SNS topic you created.
    5. Click “Update alarm.”

Conclusion

You can receive notifications for login or authorization failures in your AWS environment following these steps. This proactive approach helps quickly address potential security threats, ensuring your AWS infrastructure remains secure.