Home CloudWatch Alarms for Failed Login Attempts

CloudWatch Alarms for Failed Login Attempts


The core of an organization’s strategy is innovation. But, the rapid growth of technology and intense competition has put organizations in a hustle to come up with innovative as well as intelligent solutions. Hence, to catch up with this fast-paced environment, companies prefer cloud computing. But cloud infrastructure, if not secure, can have hazardous side-effects such as eavesdropping, change in security rules, attempts to breach the security of root account and many more. Now, the question arises on how to take full advantage of cloud without spending piles of money. AWS offers quite a lot of security services to prevent any mishappening. One such is setting up CloudWatch metric filters and alarms for every root account sign-in or attempts to sign-in.

Configure CloudWatch alarms & metric filters for failed console login attempts

A CloudTrail log for failed console login attempts will record every endeavor of login. This log is then delivered to CloudWatch to trigger an alarm and notify you. All this happens without any time lag. CloudTrail and CloudWatch act as surveillance for your cloud infrastructure. Since these logs get stored in S3 bucket, you can check them whenever required. AWS also recommends that you should not share your root account credentials with anyone. Instead, create different IAM users’ profiles and provide limited access to them with unique login credentials. Above all, this practice refines the process of identifying the failed console login attempts.

Why do you need the help of Centilytics?

Centilytics touches every aspect of cloud security. It provides an insight that reminds you to create the failed console log in your CloudTrail and configure it in CloudWatch. The insight checks whether all your configuration is correct. It also examines if there is no time lag between the working of services. This, therefore, ensures that all your set alarms notify you on time and enables you to monitor all the API calls.

Insight Description:

OK-Failed Authentication Attempts Alarm
 OK: CloudTrail has CloudWatch logs groups configured with metric filter, alarm, SNS topic with at least one subscriber.
Warning-Failed Authentication Attempts Alarm
Warning: For your CloudWatch alarms, either no SNS topic is created or no individual is present in the list of topic subscribers to receive the alerts.
Critical-Failed Authentication Attempts Alarm
 Critical: Delivery to CloudWatch logs not configured.


Also, read why CloudTrail logs should be configured in CloudWatch.

Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Account ID

Account Name: Shows account name of the corresponding user’s account.

Account Name

Region: This column shows the region of your instance where it has been used.


Identifier: Shows you the service with its trial name.


Log Group Name: It represents the name of the group which have permission to use the service

Log Group Name

Metric Filter Name: Shows you the name that you have given to the metric filter.

Metric Filter Name

Alarm Name: Shows you the name of the alarm which you had assigned.

Alarm Name

SNS Topic Name: SNS refers to the Simple Notification Service group. A group of individuals who receive the alert message.

SNS Topic Name

Custom Severity Description: Shows the severity of your metric filter and its functions custom description.

Custom Severity Description

Filters Applicable:

Filter Name Description
Account Id Applying account Id filter will display all the public snapshots for the selected account Id.
Region Applying the region filter will display all the public snapshots corresponding to the selected region.
Severity Applying severity filter will display public snapshots according to the selected severity type. Selecting ‘Critical’ will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then, selecting an environment from the resource tags filter will display all those resources tagged as ‘environment’.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment:production).

Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

Compliance Applying Compliance filter, you can further refine your security and health checks.


In conclusion, enabling alarms for failed login attempts keeps your root or any account secure from Brute Force Attacks.


Cloud Management