Failing CIS 3.3 even when metric filter exists
Hello,
We have been failing CIS "3.3 Ensure a log metric filter and alarm exist for usage of "root" account" compliance check. We have a metric filter in place to detect and alert for this action. I am not sure what needs to happen to pass the compliance check.
This is current filter pattern on the cloudtrail logs in cloudwatch:
{( $.userIdentity.type = "Root" ) && ( $.userIdentity.invokedBy NOT EXISTS ) && ( $.eventType != "AwsServiceEvent" )}
Hi there,
In the current release, SecurityHub is looking for an exact pattern match for the metric filter based on the CIS guidelines. The additional parentheses in the filter pattern may be causing the pattern match to fail. Can you try changing the metric filter pattern to { $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" } ?
- Aparna
Relevant questions
Failing CIS 3.3 even when metric filter exists
asked 3 years agoCreating an alarm out of log group's metric filter.
asked 2 years agoMetric filter for logs JSON data with @ property names
asked 9 months agoCan metric filter stats between different AWS regions be aggregated?
asked 3 months agoCan CloudWatch metric filters be created on logs in a different account?
Accepted Answerasked 3 months agotomcat8 jvm memory usage metric
asked 3 months agoMetric Filter Creation from CloudWatch Log
asked 10 days agoHow to add metric details into autocut ticket?
asked 2 months agoHow can you filter by json property in cloudwatch log?
asked 7 months agoNo value to graph for a metric filter which should match hundreds of lines based on pattern test
Accepted Answerasked 3 months ago