Profile Applicability:
Level 1
Description:
AWS Identity and Access Management (IAM) policies define permissions for users, groups, and roles. Any modification to IAM policies can impact security posture, so continuous monitoring is essential. This control ensures that CloudTrail events related to IAM policy modifications are logged, monitored, and alerted via CloudWatch Alarms and SNS notifications.
Events to monitor include:
Policy Creation, Modification, and Deletion
Policy Attachments and Detachments to IAM Roles, Users, or Groups
Changes to Inline and Managed Policies
Rationale:
IAM policies govern who can access what within an AWS environment. Monitoring changes can:
Detect unauthorized modifications that could allow privilege escalation or data breaches.
Ensure compliance with security best practices (SOC 2, HIPAA, PCI DSS).
Identify accidental misconfigurations before they cause security issues.
Impact:
Real-time detection of unauthorized IAM policy changes.
Possible alert fatigue in large environments with frequent IAM policy updates.
Requires fine-tuning to reduce noise from expected changes.
Default Value:
AWS does not alert on IAM policy changes by default.
CloudTrail logs IAM policy changes, but organizations must configure CloudWatch Alarms and SNS notifications for proactive monitoring.
Pre-Requisites:
AWS CloudTrail enabled with multi-region logging.
CloudWatch Logs enabled and integrated with CloudTrail.
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetEventSelectors
logs:DescribeMetricFilters
cloudwatch:DescribeAlarms
sns:ListSubscriptionsByTopic
logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic
Remediation:
Test Plan:
Using AWS Console
Login to the AWS Management Console.
Navigate to CloudTrail: AWS CloudTrail Console.
Verify there is at least one active multi-region CloudTrail trail.
Check that CloudTrail logs are sent to CloudWatch Logs.
Navigate to CloudWatch Logs: AWS CloudWatch Console.
Ensure that a metric filter is created for IAM policy changes.
Check CloudWatch Alarms for alerts on IAM policy changes.
Implementation Steps:
Using AWS CLI
Step 1: Create a Metric Filter for IAM Policy Changes
aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name iam-changes-metric \
--metric-transformations metricName=iam-changes-metric,metricNamespace="CISBenchmark",metricValue=1 \
--filter-pattern '{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}'Step 2: Create an SNS Topic for Notifications
aws sns create-topic --name iam-policy-changes-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>
Step 4: Create a CloudWatch Alarm for IAM Policy Changes
aws cloudwatch put-metric-alarm --alarm-name iam-policy-changes-alarm \ --metric-name iam-changes-metric --statistic Sum --period 300 \ --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>
Backout Plan:
Delete CloudWatch Alarm:
aws cloudwatch delete-alarms --alarm-names iam-policy-changes-alarm
Remove the metric filter:
aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name iam-changes-metric
Delete SNS topic:
aws sns delete-topic --topic-arn <sns-topic-arn>
References: