For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing.md.
A documentation index is available at /llms.txt.
This check ensures that a CloudWatch log metric filter and corresponding alarm are properly configured to monitor AWS Management Console authentication failures. Without a correct association between the metric alarm (aws_cloudwatch_metric_alarm.metric_name) and the log metric filter (for example, aws_cloudwatch_metric_filter.cis_console_authn_failure_metric_filter.id), failed login events may go undetected, leaving the environment vulnerable to brute-force attacks or unauthorized access attempts. A secure Terraform configuration links the alarm to the appropriate metric filter, as shown below:
This enables timely alerting on suspicious authentication failures, reducing the risk of compromised credentials going unnoticed.
Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""cis_console_authn_failure_metric_filter"{name="CIS-ConsoleAuthenticationFailure"pattern="{ (($.eventName = ConsoleLogin) && ($.errorMessage = \"Failedauthentication\")) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-ConsoleAuthenticationFailure"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_console_authn_failure_cw_alarm"{alarm_name="CIS-3.6-ConsoleAuthenticationFailure"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
Non-Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""cis_console_authn_failure_metric_filter"{name="CIS-ConsoleAuthenticationFailure"pattern="{ (($.eventName = ConsoleLogin)) && ($.errorMessage != \"Failedauthentication\") }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-ConsoleAuthenticationFailure"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_console_authn_failure_cw_alarm"{alarm_name="CIS-3.6-ConsoleAuthenticationFailure"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""cis_console_authn_failure_metric_filter"{name="CIS-ConsoleAuthenticationFailure"pattern="{ $.eventName != ConsoleLogin && $.errorMessage = \"Failedauthentication\" }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-ConsoleAuthenticationFailure"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_console_authn_failure_cw_alarm"{alarm_name="CIS-3.6-ConsoleAuthenticationFailure"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""cis_console_authn_failure_metric_filter"{name="CIS-ConsoleAuthenticationFailure"pattern="{ $.eventName = ConsoleLogin || $.errorMessage = \"Failedauthentication\" }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-ConsoleAuthenticationFailure"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_console_authn_failure_cw_alarm"{alarm_name="CIS-3.6-ConsoleAuthenticationFailure"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
