Failing CIS 3.3 even when metric filter exists

Question

Hello,   
 We have been failing CIS "3.3 Ensure a log metric filter and alarm exist for usage of "root" account" compliance check. We have a metric filter in place to detect and alert for this action. I am not sure what needs to happen to pass the compliance check.  
  
This is current filter pattern on the cloudtrail logs in cloudwatch:  
{( $.userIdentity.type = "Root" ) && ( $.userIdentity.invokedBy NOT EXISTS ) && ( $.eventType != "AwsServiceEvent" )}

Answer

Hi there,  
  
In the current release, SecurityHub is looking for an exact pattern match for the metric filter based on the CIS guidelines. The additional parentheses in the filter pattern may be causing the pattern match to fail. Can you try changing the metric filter pattern to { $.userIdentity.type = "Root"  &&  $.userIdentity.invokedBy NOT EXISTS  && $.eventType != "AwsServiceEvent" } ?  
  
- Aparna

Answer

I made the changes and it is working now.

Failing CIS 3.3 even when metric filter exists

相关内容