Which solution will meet these requirements?
In CloudTrail, turn on Insights events on the trail. Configure an alarm on the insight with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Configure a threshold of 3 and a period of 5 minutes.
Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.
Create an Amazon Athena table from the CloudTrail events. Run a query for eventName matching ConsoleLogin and for errorMessage matching “Failed authentication”. Create a notification action from the query to send an Amazon Simple Notification Service (Amazon SNS) notification when the count equals 3 within a period of 5 minutes.
In AWS Identity and Access Management Access Analyzer, create a new analyzer. Configure the analyzer to send an Amazon Simple Notification Service (Amazon SNS) notification when a failed sign-in event occurs 3 times for any IAM user within a period of 5 minutes.
Explanations:
CloudTrail Insights events are used for detecting anomalous patterns, but this specific configuration does not provide the exact level of granularity required for tracking failed sign-in attempts based on errorMessage matching “Failed authentication” within a 5-minute period.
CloudTrail can send events to CloudWatch Logs, where a metric filter can be applied to capture failed login attempts. The filter for eventName matching “ConsoleLogin” and errorMessage matching “Failed authentication” allows CloudWatch to monitor and create an alarm based on a threshold of 3 events within 5 minutes.
While Amazon Athena can query CloudTrail logs, it is not designed to automatically trigger an alert based on a specific threshold in real time. It would require a more complex setup and may not provide the desired immediate notification for failed sign-ins.
AWS Identity and Access Management Access Analyzer is not used for monitoring failed sign-in attempts. It is used for analyzing permissions, not for generating alerts based on failed logins.
If memory serves me right, the answer is:
Configure CloudTrail to send events to Amazon CloudWatch Logs. Create a metric filter for the relevant log group. Create a filter pattern with eventName matching ConsoleLogin and errorMessage matching “Failed authentication”. Create a CloudWatch alarm with a threshold of 3 and a period of 5 minutes.