Professional Documents
Culture Documents
Solution overview
Prerequisites
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ses:SendEmail",
"Resource": "<arn-of-verified
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeMetricFilte
],
"Resource": "<arn-for-CloudWa
},
{
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents"
And that’s it! You will now be notified whenever there are
“Audit Failure” events that reach the threshold you set on a
per-instance basis for your AWS Managed Microsoft AD
domain-joined instances. If you installed and configured the
CloudWatch agent on non–domain-joined instances in Step
1, then you’ll also get notifications for “Audit Failure” events
that are generated by failed login attempts that use local
accounts.
Conclusion
In this post, I showed you how you can proactively track and
monitor Windows security audit failures across your AWS
Managed Microsoft AD domain-joined EC2 instances. This
helps provide greater visibility into Windows login activities
for administrators, so that they can take action to maintain
the security of their server fleet. This solution can also be
extended to potentially trigger an automation workflow or
incident response process in the event of unexpected
events.
Tekena Orugbani
AWS Podcast
Subscribe for weekly AWS news and interviews
Learn more #
Resources
AWS Cloud Security
AWS Compliance
AWS Security Reference Architecture
Best Practices
Data Protection at AWS
General Data Protection Regulation (GDPR)
Follow
$ Twitter
% Facebook