Profile Applicability:

Level 1

Description:

AWS CloudTrail provides real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. Monitoring AWS Organizations changes is essential to detect unauthorized modifications that could weaken security or enable unauthorized access.

This control ensures that AWS Organizations changes are logged, monitored, and alerted using CloudWatch Alarms and Amazon SNS notifications.

Rationale:

Monitoring AWS Organizations changes provides:

  • Immediate detection of unauthorized modifications.

  • Forensic evidence in case of a security breach.

  • Protection against accidental misconfiguration.

  • Early warning alerts to security teams for rapid incident response.

Impact:

  • Failure to monitor AWS Organizations changes can result in:

    • Unauthorized modifications to organizational policies.

    • Security misconfigurations that increase risk.

    • Delayed response to malicious activities.

  • Enabling monitoring does not impact performance, but it requires CloudWatch and CloudTrail costs.

Default Value:

  • AWS Organizations API events are not logged by default unless configured in AWS CloudTrail.

  • No default CloudWatch Alarms or SNS notifications exist for monitoring AWS Organizations changes.

Pre-Requisites:

  1. AWS CloudTrail enabled with multi-region logging.

  2. AWS CloudWatch Logs enabled and linked to CloudTrail.

  3. IAM Permissions Required:

    • cloudtrail:DescribeTrails

    • cloudtrail:GetEventSelectors

    • logs:DescribeMetricFilters

    • cloudwatch:DescribeAlarms

    • sns:ListSubscriptionsByTopic

    • logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic

Remediation:

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console.

  2. Navigate to CloudTrail: AWS CloudTrail Console.



  3. Verify there is at least one multi-region CloudTrail trail enabled.

  4. Ensure CloudTrail is logging management events:

    • Click on the trail and check Event Selectors.



    • Ensure management events are set to "All".


  5. Check that CloudTrail logs are being sent to CloudWatch.



  6. Navigate to CloudWatch Logs: AWS CloudWatch Console.



  7. Ensure that a metric filter is created for AWS Organizations API events.



  8. Check CloudWatch Alarms for alerts on API on AWS Organizations changes.


Implementation Steps
Using AWS Console

Step 1: Create a Metric Filter for AWS Organizations Changes

aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name organizations-changes \
--metric-transformations metricName=organizations-changes,metricNamespace='CISBenchmark',metricValue=1 \
--filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") || ($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }'

Step 2: Create an SNS Topic for Notifications

aws sns create-topic --name organizations-alerts

Step 3: Subscribe to SNS Topic

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>

Step 4: Create a CloudWatch Alarm for AWS Organizations Changes

aws cloudwatch put-metric-alarm --alarm-name organizations-changes \
--metric-name organizations-changes --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns-topic-arn>

Backout Plan:

  1. Delete CloudWatch Alarm:

    aws cloudwatch delete-alarms --alarm-names organizations-changes

  2. Remove the metric filter:

    aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name organizations-changes

  3. Delete SNS topic:

    aws sns delete-topic --topic-arn <sns-topic-arn>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

8.5

Collect detailed audit logs, including event source, date, user, timestamp, source addresses, and other useful elements.

CIS v8

8.11

Conduct weekly (or more frequent) audit log reviews to detect anomalies.

CIS v7

6.2

Activate audit logging on all systems and networking devices.

CIS v7

6.3

Enable system logging with detailed information (event source, date, user, etc.).

CIS v7

14.6

Protect stored information with access control lists (ACLs).

CIS v8

11.5

Monitor and alert on unauthorized access or security-relevant changes within AWS Organizations.

CIS v8

11.6

Ensure security logs are retained and analyzed for unusual activity.