By using AWS re:Post, you agree to the Terms of Use
/Failing CIS 3.3 even when metric filter exists/

Failing CIS 3.3 even when metric filter exists


We have been failing CIS "3.3 Ensure a log metric filter and alarm exist for usage of "root" account" compliance check. We have a metric filter in place to detect and alert for this action. I am not sure what needs to happen to pass the compliance check.

This is current filter pattern on the cloudtrail logs in cloudwatch:
{( $.userIdentity.type = "Root" ) && ( $.userIdentity.invokedBy NOT EXISTS ) && ( $.eventType != "AwsServiceEvent" )}

2 Answers

Hi there,

In the current release, SecurityHub is looking for an exact pattern match for the metric filter based on the CIS guidelines. The additional parentheses in the filter pattern may be causing the pattern match to fail. Can you try changing the metric filter pattern to { $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" } ?

  • Aparna
answered 3 years ago

I made the changes and it is working now.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions