Profile Applicability: Level 1


Description:

CloudWatch is a monitoring and management service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources. Using this service you can collect and access all your performance and operational data in form of logs and metrics from a single platform. When performing any activities on Application and infrastructure resources it generates lots of operational and monitoring data in form of logs and metrics. On the CloudWatch correlate metrics and logs through the visualize data sets in a single platform. So, We can quickly diagnose the problem to understanding the root cause.

A metric alarm watches a single CloudWatch metric or the result of a math expression based on CloudWatch metrics. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods. If any type of unauthorized API call happens it can be sending a notification to an Amazon SNS topic, performing an Amazon EC2 action or an Auto Scaling action, or creating an OpsItem or incident in the System Manager.

Rationale:

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. Monitoring unauthorized API calls will help reveal application errors and may reduce the time to detect malicious activity.

Impact:

The preceding rules together provide clear insight into API call activity in your account, and which ones can impact your applications.

Default Value:

An alarm does not exist for unauthorized API Calls by Default.

Audit:

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/
  2. In the left navigation panel select Log groups.
  3. Under the Log group column, Search for the “AuthorizationFailureCount” metric parameter name it displays.

If this metric is not found then unauthorized API calls are currently not monitored using the CloudWatch service.


Via CLI:

To describe the Cloud-watch alarms

aws cloudwatch describe-alarms-for-metric
  --region us-east-1
  --metric-name AuthorizationFailureCount
  --namespace CloudTrailMetrics


Remediation:

Pre-Requisite:

  • Cloud trails Must be enabled in your aws account

  • You must contain SNS Topic to get notification

Implementation Steps:

  1. Login to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/

  2. In the left navigation, pane click on Log groups under Logs

  3. Click on Create log group

  4. Select the log group you created

  5. Click on the Actions drop-down menu, select create a metric filter

  6. In the Create metric filter page, we define the filter pattern as { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }. and then click on Next button

  7. In Assign metric under the Create filter name give the filter name as unauthorized_api_calls

  8. Under the Metric Details section, type UnauthorizedAttemptCount in the Metric Namespace box, type CloudTrailMetrics in Metric Name box as a metric identifier, and give the Metric Value 1 in Unit which is optional select seconds and then click on the Next button

  9. Then click on the Next button.

  10. Review it and click on Create metric filter button to create it

  11. After clicking on create metric filter You will see a metric filters page 

    • Select the metric filter you have created click on create an alarm on the right side of the Metric filters section.

  12. After clicking on create alarm you will be redirected next tab to Create Alarm, define the following:-

    • Metric name enter CloudtrailMetric

    • Statistic select Sum

    • Period as 5minutes

  13. In the conditions, section selects the Threshold type Static, Define the alarm condition with a Greater threshold and give the value of threshold 1. then click on the Next button

  14. Next is Configure actions in this choose Alarm state trigger option in alarm, For SNS topic select SNS if exist or can create a new topic, click on NEXT

  15. Give the Name of Alarm e.g. ApiCallMonitoring and click on the Next button.

  16. Check all the entered details and click on create Alarm

Via CLI:

To create the Metric Filter alarm

aws cloudwatch put-metric-alarm 
--alarm-name <unauthorized_api_calls_alarm>
--metric-name <unauthorized_api_calls_metric> 
--statistic Sum --period 300 --threshold 1
--comparison-operator GreaterThanOrEqualToThreshold 
--evaluation-periods 1 -namespace '<give the name space>' 
--alarm-actions <sns_topic_arn>


Backout Plan:

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/

  2. In the left navigation, pane click on Log groups under Logs

  3. Select the log group you want to delete, click on Actions drop-down, and select Delete Log Group(s)

  4. Click on In Alarms in the left navigation pane

  5. Select the alarm you want to delete, click on the Actions drop-down, and select Delete

Note: 

When you set an alarm, next time when an authorization failure occurs within your AWS account, you will receive a notification email with the following message: "You are receiving this email because your Amazon CloudWatch Alarm “Authorization Failures” in the <AWS Region Name> region has entered the ALARM state, because “Threshold Crossed: 1 datapoint (3.0) was greater than the threshold (1.0).” at <Date and Time>”.

Configuring log metric filter and alarm on Multi-region (global) CloudTrail

  • Ensures that activities from all regions (used as well as unused) are monitored 

  • Ensures that activities on all supported global services are monitored

  • Ensures that all management events across all regions are monitored


Reference:


CIS Controls:

6.5 Central Log Management 

    Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. 

6.7 Regularly Review Logs 

    On a regular basis, review logs to identify anomalies or abnormal events.