Description:
CloudWatch is a monitoring and management service that provides data and actionable insights for AWS, hybrid, and on-premises applications and infrastructure resources. Using this service you can collect and access all your performance and operational data in form of logs and metrics from a single platform.
When performing any activities on Application and infrastructure resources it generates lots of operational and monitoring data in form of logs and metrics. On Amazon, CloudWatch correlates metrics and logs through the visualized data sets in a single platform. So, We can quickly diagnose the problem to understand the root cause.
Rational:
Real-time monitoring of IAM policy change can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for IAM policy change.
Impact:
The preceding rules together provide clear insight into IAM policy change and will notify you if it breaks the rule.
Default value:
By default, a Metric Filter for specific CloudTrail log events and a CloudWatch alarm for the usage of IAM policy change will not exist.
Pre-Requisite:
Cloud trails Must be enabled in your AWS account
You must contain SNS Topic to get notification
Remediation:
Test Plan:
- Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/
- In the left navigation panel click on Log groups and select the log group you want to examine
- Go to the metric filter tab and Search for the metric filter related to IAM policy change
If the particular metric filter is not found it means IAM policy changes are not monitored by cloud watch.
Using AWS CLI:
To describe the Cloudwatch metrics
aws cloudwatch describe-metric-filters --log-group-name <value>
Implementation Steps:
Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/
In the left navigation, pane click on Log groups under Logs
Select the log group for which you want to create a metric filter
Click on the Actions drop-down menu, select create a metric filter
In the Create metric filter page, we define the filter pattern as {($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) || ($.eventName = DeleteUserPolicy) || ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = CreatePolicyVersion) || ($.eventName = DeletePolicyVersion) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) || ($.eventName = AttachGroupPolicy) || ($.eventName = DetachGroupPolicy) }and then click on Next button
On Assign metric page, under the Create filter name give the filter name as IAM_policy_change
Under the Metric Details section, provide the details required like Metric namespace, Metric name, metric value, and Default value(optional), and then click on the Next button
Review the details provided and click on Create metric filter button to create it
After clicking on create metric filter You will see a metric filters page, Select the metric filter you have created and click on create an alarm on the right side of the Metric filters section.
After clicking on create alarm you will be redirected to the next tab to Create Alarm, define the following:-
Metric name (it automatically takes from the metric filter)
Statistic select Sum
Period as 5minutes
In the conditions section select the Threshold type to Static, Define the alarm condition with a Greater(>) threshold and give the value of threshold as you defined in metric value then click on the Next button
Next is Configure actions in this choose Alarm state trigger option as In alarm, For SNS topic select SNS if exist or can create a new topic, click on NEXT
Give the Name of Alarm and Alarm description(optional), click on the Next button.
Review all the entered details and click on create Alarm
Using AWS CLI:
To create a metric filter
put-metric-filter --log-group-name <value> --filter-name <value> --filter-pattern <value> --metric-transformations <value>
To create Alarm
aws cloudwatch put-metric-alarm --alarm-name <value> --metric-name <value> --statistic Sum --period 300 --threshold <value> --comparison-operator <value> --evaluation-periods 1 -namespace '<give the name space>' --alarm-actions <sns_topic_arn>
Backout plan:
Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/
In the left navigation, pane click on Log groups under Logs
Select the log group you want to modify, go-to metric filter tab
Choose the metric filter you want to delete and click on Delete
Click on In Alarms in the left navigation pane
Select the alarm you want to delete, click on the Actions drop-down, and select Delete
Using AWS CLI:
The following command deletes a log group named :
aws logs delete-log-group --log-group-name <name_the group logs>
The delete-alarms command to delete the Amazon CloudWatch alarm
aws cloudwatch delete-alarms --alarm-names <value>
Reference:
Amazon CloudWatch concepts - Amazon CloudWatch