Profile Applicability:
Level 2
Description:
Real-time monitoring of unauthorized API calls can be achieved by directing AWS CloudTrail logs to Amazon CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended to configure a CloudWatch metric filter and alarm to detect and alert on unauthorized API calls.
Rationale:
CloudWatch is an AWS native service that allows monitoring and alerting on resources and applications. CloudTrail logs can also be sent to an SIEM for monitoring unauthorized API activities. By monitoring unauthorized API calls, organizations can:
Detect malicious activity early
Identify unauthorized access attempts
Reduce security incident response times
Impact:
The alert may trigger due to normal read-only console activities when users lack permissions.
Excessive alerts may indicate misconfigured IAM permissions, requiring fine-tuning.
If alerts are ignored, real security threats may go unnoticed.
Default Value:
By default, CloudTrail logs API activity, but CloudWatch metric filters and alarms are not automatically configured to monitor unauthorized API calls.
Prerequisites:
IAM Permissions Required:
cloudtrail:DescribeTrails
cloudtrail:GetTrailStatus
logs:DescribeMetricFilters
logs:PutMetricFilter
cloudwatch:PutMetricAlarm
sns:CreateTopic
sns:Subscribe
AWS CloudTrail must be enabled across all regions.
Amazon CloudWatch Logs must be integrated with CloudTrail.
Remediation:
Test Plan:
If using CloudTrail and CloudWatch, perform the following steps to ensure that:
A multi-region CloudTrail trail is active.
The metric filter for unauthorized API calls is correctly configured.
A CloudWatch alarm is in place to detect unauthorized API calls.
Step 1: Verify CloudTrail is Multi-Region and Logging is Active
aws cloudtrail describe-trails
Ensure IsMultiRegionTrail is true.
aws cloudtrail get-trail-status --name <trail-name>
- Ensure IsLogging is true.
aws cloudtrail get-event-selectors --trail-name <trail-name>
Ensure IncludeManagementEvents is true and ReadWriteType is All.
Step 2: Check if a Metric Filter Exists for Unauthorized API Calls
aws logs describe-metric-filters --log-group-name <trail-log-group-name>
- Ensure output includes:
{ "filterPattern": "{ ($.errorCode =\"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\") }" }
Step 3: Verify CloudWatch Alarm Exists for Unauthorized API Calls
aws cloudwatch describe-alarms --query "MetricAlarms[?MetricName == 'unauthorized_api_calls_metric']"
Ensure alarm exists and is associated with an SNS topic.
Step 4: Confirm SNS Topic Has Active Subscriptions
aws sns list-subscriptions-by-topic --topic-arn <sns-topic-arn>
- Ensure at least one valid subscription exists.
Implementation Steps:
Step 1: Create a CloudWatch Metric Filter
aws logs put-metric-filter \ --log-group-name <trail-log-group-name> \ --filter-name unauthorized-api-calls-metric \ --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 \ --filter-pattern "{ ($.errorCode =\"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\") }"
Step 2: Create an SNS Topic
aws sns create-topic --name security-alerts
Step 3: Subscribe to SNS Topic
aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint security-team@example.com
Step 4: Create a CloudWatch Alarm
aws cloudwatch put-metric-alarm \ --alarm-name "unauthorized_api_calls_alarm" \ --metric-name "unauthorized_api_calls_metric" \ --namespace "CISBenchmark" \ --statistic Sum \ --period 300 \ --threshold 1 \ --comparison-operator GreaterThanOrEqualToThreshold \ --evaluation-periods 1 \ --alarm-actions <sns-topic-arn>
Remediation:
Review unauthorized API calls logged in CloudTrail.
Investigate IAM policies to verify access permissions.
Grant or revoke access based on the security review.
Update the CloudWatch alarm thresholds if excessive alerts occur.
Backout Plan:
If excessive false alerts occur, update the metric filter to exclude known benign errors.
If incorrect changes were applied, use aws cloudwatch delete-alarms to remove the CloudWatch alarm.
If necessary, unsubscribe from the SNS topic using aws sns unsubscribe --subscription-arn <subscription-arn>.