MEDIUM CloudWatch · CIS 4.6

Console auth failures alarm

Check ID: aws-cw-006

AWS-CW-006 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect console authentication failures. Without this monitoring, brute-force and credential stuffing attacks go undetected.

Why it matters

Console authentication failures are a direct indicator of brute-force attacks, credential stuffing from leaked password databases, or targeted password spraying campaigns. AWS does not natively rate-limit console login attempts, so an attacker can try thousands of passwords without being blocked. The 2023 Okta breach demonstrated how repeated authentication failures across multiple accounts indicated a coordinated credential stuffing campaign. Early detection of auth failures allows security teams to lock accounts, enforce IP restrictions, or escalate to MFA-only access before the attacker succeeds. A sudden spike in failed logins from unusual IP ranges or geographic locations is one of the strongest early warning signals available.

Common causes

AWS does not provide built-in brute-force protection or account lockout for IAM users, so organizations must build their own detection. Teams assume that MFA makes brute-force detection unnecessary, forgetting that users with weak passwords and no MFA still exist. Console login failures are logged in CloudTrail but require specific metric filters to surface, which many default monitoring setups omit.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.6 \
  --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }' \
  --metric-transformations metricName=CIS-4-6,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.6 \
  --metric-name CIS-4-6 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_6" {
  name           = "CIS-4.6"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"

  metric_transformation {
    name      = "CIS-4-6"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_6" {
  alarm_name          = "CIS-4.6"
  metric_name         = "CIS-4-6"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.6 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related CloudWatch checks

HIGH aws-cw-001

Root account usage alarm

MEDIUM aws-cw-002

Unauthorized API calls alarm

MEDIUM aws-cw-003

Console sign-in without MFA alarm

← All checks