Description:

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications.

Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.

Rationale:

Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. 

Impact:

Ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.

Default value:

CloudTrail trails and cloud watch don't log data events and alarms by default.

Pre-Requisite:

AWS Organization, CloudTrail, Cloud Watch and SNS.

Remediation:


Test Plan:

  • AWS Console Process

  1. Login to AWS console of organizations account and go to Cloud Trail and click on trails in the left pane.

  2. Click on a trail you want to see details.  

  3. Identify Multi region Cloudtrails, Trails with "IsMultiRegionTrail" set to true.
  4. Note: if not follow Implementation plan.
  5. Under the CloudWatch logs section check if there any log group mentioned
  6. Open the CloudWatch console.
  7. Go to CloudWatch and check the left side panel for Settings. Click on Setting
  8. On the Cloudwatch setting dashboard, you can see list of CloudWatch alarms and filter on the organizations_changes.
  9. Note: if not follow Implementation plan.
  10. Now need to check sns, go to the sns dashboard
  11. Click on Topic in the left pane
  12. And check at least one subscription should have "Subscription Arn" with valid aws ARN for organization.


Using AWS CLI

  1. Perform the following to ensure that there is at least one active multi-region CloudTrail with prescribed metric filters and alarms configured:

  • Identify the log group name configured for use with active multi-region CloudTrail: 

  • List all CloudTrails:


aws cloudtrail describe-trails
  • Identify Multi region Cloudtrails, Trails with "IsMultiRegionTrail" set to true

  • From value associated with CloudWatchLogsLogGroupArn note. <cloudtrail_log_group_name>

  • Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs::<aws_account_number>:log-group:NewGroup:*, cloudtrail_log_group_name> would be NewGroup
  • Ensure Identified Multi region CloudTrail is active:
  • aws cloudtrail get-trail-status --name <Name of a Multi-region CloudTrail>

Ensure IsLogging is set to TRUE 


  • Ensure identified Multi-region Cloudtrail captures all Management Events:

    aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>
  • Ensure there is at least one Event Selector for a Trail with IncludeManagementEvents set to true and ReadWriteType set to All.


  2. Get a list of all associated metric filters for this :

aws logs describe-metric-filters --log-group-name "<cloudtrail_log_group_name>"

  3. Ensure the output from the above command contains the following:


"filterPattern": "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") ||
($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }"

  4. Note the <organizations_changes> value associated with the filterPattern

  5. Get a list of CloudWatch alarms and filter on the <organizations_changes>

aws cloudwatch describe-alarms --query 'MetricAlarms[?MetricName== <organizations_changes>]'

  6. Note the AlarmActions value - this will provide the SNS topic ARN value. 

  7. Ensure there is at least one active subscriber to the SNS topic by below command

aws sns list-subscriptions-by-topic --topic-arn <sns_topic_arn>

at least one subscription should have "SubscriptionArn" with valid aws ARN. Example of valid "SubscriptionArn" 


"arn:aws:sns:<region>:<aws_account_number>:<SnsTopicName>:<SubscriptionID>"


Implementation Plan:

  • AWS Console Process

  1. Log in to the AWS Management Console and go to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/

  2. In the left navigation, pane click on Log groups under Logs 

  3. Select the log group for which you want to create a metric filter 
  4. Click on the Actions drop-down menu, select create a metric filter 
  5. In the Create metric filter page, we define the filter pattern as '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") || ($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }' 
  6. On Assign metric page, under the Create filter name give the filter name as RouteTable_changes
  7. Under the Metric Details section, provide the details required like Metric namespace, Metric name, metric value, and Default value(optional), and then click on the Next button  
  8. Review the details provided and click on Create metric filter button to create it

  9. After clicking on create metric filter You will see a metric filters page, Select the metric filter you have created and click on create an alarm on the right side of the Metric filters section. 

  10. After clicking on create alarm you will be redirected to the next tab to Create Alarm, define the following:-

    • Metric name (it automatically takes from the metric filter)

    • Statistic select Sum

    • Period as required.




  11. In the conditions section select the Threshold type to Static, Define the alarm condition with a Greater(>) threshold and give the value of threshold as you defined in metric value then click on the Next button  

  12. Next is Configure actions in this choose Alarm state trigger option as In alarm, For SNS topic select SNS if exist or can create a new topic, click on NEXT 

  13. Give the Name of Alarm, click on the Next button.

  14. Review all the entered details and click on create Alarm


Using AWS CLI

Perform the following to setup the metric filter, alarm, SNS topic, and subscription:

  • Identify the log group name configured for use with active multi-region CloudTrail: 

  • List all CloudTrails:

    aws cloudtrail describe-trails
  • Identify Multi region Cloudtrails, Trails with "IsMultiRegionTrail" set to true

  • From value associated with CloudWatchLogsLogGroupArn note. <cloudtrail_log_group_name>

  • Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs::<aws_account_number>:log-group:NewGroup:*, cloudtrail_log_group_name> would be NewGroup

  • Ensure Identified Multi region CloudTrail is active:

  • Create a metric filter based on filter pattern provided which checks for AWS Organizations changes and the <cloudtrail_log_group_name>

aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name>
--filter-name `<organizations_changes>`
--metric-transformations metricName=`<organizations_changes>`,metricNamespace='CISBenchmark',metricValue=1
--filter-pattern '{ ($.eventSource = organizations.amazonaws.com) &&
(($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") ||
($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit")
|| ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") ||
($.eventName = "DeleteOrganization") || ($.eventName =
"DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") ||
($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") ||
($.eventName = "EnablePolicyType") || ($.eventName =
"InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") ||
($.eventName = "MoveAccount") || ($.eventName =
"RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") ||
($.eventName = "UpdateOrganizationalUnit")) }'

Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together. 


  •  Create an SNS topic that the alarm will notify:

    aws  sns create-topic --name <sns_topic_name>


Note: you can execute this command once and then re-use the same topic for all monitoring alarms.

  • Create an SNS subscription to the topic created

    aws  sns subscribe --topic-arn <sns_topic_arn> 
    --protocol <protocol_for_sns>
    --notification-endpoint <sns_subscription_endpoints>
  • Create an alarm that is associated with the CloudWatch Logs Metric Filter created and an SNS topic created 


aws cloudwatch put-metric-alarm 
--alarm-name `<organizations_changes>`
--metric-name `<organizations_changes>`
--statistic Sum
--period 300
--threshold 1
--comparison-operator GreaterThanOrEqualToThreshold
--evaluationperiods 1
--namespace 'CISBenchmark'
--alarm-actions <sns_topic_arn>

Backout Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Open the Trails page of the CloudTrail console.

  3. Choose the desired trail name.

  4. At the top of the trail details page, choose Delete.

  5. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  6. In the navigation pane, choose Alarms.

  7. Select the check box of desired alarm to the left of the name of the alarm, and choose Actions, Delete.

  8. Choose Delete.

  9. Sign in to the Amazon SNS console.

  10. In the left navigation pane, choose desired Subscriptions.

  11. On the Subscriptions page, select a subscription with a Status of Confirmed, and then choose Delete.

  12. In the Delete subscription dialog box, choose Delete.


Using AWS CLI

  • List all CloudTrails:

    aws cloudtrail describe-trails
  • Identify Multi region Cloudtrails, Trails with "IsMultiRegionTrail" set to true

  • From value associated with CloudWatchLogsLogGroupArn note. <cloudtrail_log_group_name>

  • Example: for CloudWatchLogsLogGroupArn that looks like arn:aws:logs::<aws_account_number>:log-group:NewGroup:*, cloudtrail_log_group_name> would be NewGroup

  • Delete the trail created.

    aws cloudtrail delete-trail
    --name arn:aws:logs::<aws_account_number>:log-group:NewGroup
  • Delete sns topic created


aws sns delete-topic
--topic-arn <sns_topic_arn>
  • Delete the created alarm


aws cloudwatch delete-alarms 
--alarm-name `<organizations_changes>`

References:

Logging and monitoring in AWS Organizations - AWS Organizations (amazon.com)