Profile Applicability: Level 1


Description:

CloudWatch is a monitoring and management service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources. Using this service you can collect and access all your performance and operational data in form of logs and metrics from a single platform. When performing any activities on Application and infrastructure resources it generates lots of operational and monitoring data in form of logs and metrics. On the CloudWatch correlate metrics and logs through the visualize data sets in a single platform. So, We can quickly diagnose the problem to understanding the root cause.

A metric alarm watches a single CloudWatch metric or the result of a math expression based on CloudWatch metrics. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods. If any type of unauthorized API call happens it can be sending a notification to an Amazon SNS topic, performing an Amazon EC2 action or an Auto Scaling action, or creating an OpsItem or incident in the System Manager.

Rationale:

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. Monitoring unauthorized API calls will help reveal application errors and may reduce the time to detect malicious activity.

Impact:

The preceding rules together provide clear insight into API call activity in your account, and which ones can impact your applications.

Default Value:

An alarm does not exist for unauthorized API Calls by Default.

Audit:

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/
  2. In the left navigation panel click on Log groups and select the log group you want to examine
  3. Go to the metric filter tab and Search for the “Unauthorized_APIcalls” metric parameter name 

If this metric is not found then unauthorized API calls are currently not monitored using the CloudWatch service.


Via CLI:

To describe the metric filters

aws cloudwatch describe-metric-filters --log-group-name <value>


Remediation:

Pre-Requisite:

  • Cloud trails Must be enabled in your AWS account

  • You must contain SNS Topic to get notification

Implementation Steps:

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/

  2. In the left navigation, pane click on Log groups under Logs

  3. Select the log group for which you want to create a metric filter 

  4. Click on the Actions drop-down menu, select create a metric filter

  5. In the Create metric filter page, we define the filter pattern as { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }. and then click on Next button

  6. In Assign metric page, under the Create filter name give the filter name as unauthorized_api_calls

  7. Under the Metric Details section, provide the details required like Metric namespace, Metric name, metric value, and Default value(optional), and then click on the Next button 

  8. Review the details provided and click on Create metric filter button to create it

  9. After clicking on create metric filter You will see a metric filters page, Select the metric filter you have created and click on create alarm on the right side of the Metric filters section.

  10. After clicking on create alarm you will be redirected to the next tab to Create Alarm, define the following:-

    • Metric name (it automatically takes from the metric filter)

    • Statistic select Sum

    • Period as 5minutes

  11. In the conditions section select the Threshold type to Static, Define the alarm condition with a Greater(>) threshold and give the value of threshold as you defined in metric value then click on the Next button

  12. Next is Configure actions in this choose Alarm state trigger option as In alarm, For SNS topic select SNS if exist or can create a new topic, click on NEXT

  13. Give the Name of Alarm e.g. ApiCallMonitoring and Alarm description(optional), click on the Next button.

  14. Review all the entered details and click on create Alarm

Via CLI:

To create the Metric Filter alarm

aws cloudwatch put-metric-alarm 
--alarm-name <value>
--metric-name <value> 
--statistic Sum --period 300 --threshold <value>
--comparison-operator <value>
--evaluation-periods 1 -namespace '<give the name space>' 
--alarm-actions <sns_topic_arn>


Backout Plan:

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/

  2. In the left navigation, pane click on Log groups under Logs

  3. Select the log group you want to modify, go to metric filter tab

  4. Choose the metric filter you want to delete and click on Delete

  5. Click on In Alarms in the left navigation pane

  6. Select the alarm you want to delete, click on the Actions drop-down, and select Delete

Note: 

When you set an alarm, next time when an authorization failure occurs within your AWS account, you will receive a notification email with the following message: "You are receiving this email because your Amazon CloudWatch Alarm “Authorization Failures” in the <AWS Region Name> region has entered the ALARM state, because “Threshold Crossed: 1 datapoint (3.0) was greater than the threshold (1.0).” at <Date and Time>”.

Configuring log metric filter and alarm on Multi-region (global) CloudTrail

  • Ensures that activities from all regions (used as well as unused) are monitored 

  • Ensures that activities on all supported global services are monitored

  • Ensures that all management events across all regions are monitored


Reference:


CIS Controls:

6.5 Central Log Management 

    Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. 

6.7 Regularly Review Logs 

    On a regular basis, review logs to identify anomalies or abnormal events.