Profile Applicability:

Level 2


Description:


Real-time monitoring of unauthorized API calls can be achieved by directing AWS CloudTrail logs to Amazon CloudWatch Logs or an external Security Information and Event Management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended to configure a CloudWatch metric filter and alarm to detect and alert on unauthorized API calls.


Rationale:

CloudWatch is an AWS native service that allows monitoring and alerting on resources and applications. CloudTrail logs can also be sent to an SIEM for monitoring unauthorized API activities. By monitoring unauthorized API calls, organizations can:

  • Detect malicious activity early

  • Identify unauthorized access attempts

  • Reduce security incident response times


Impact:

  • The alert may trigger due to normal read-only console activities when users lack permissions.

  • Excessive alerts may indicate misconfigured IAM permissions, requiring fine-tuning.

  • If alerts are ignored, real security threats may go unnoticed.


Default Value:


By default, CloudTrail logs API activity, but CloudWatch metric filters and alarms are not automatically configured to monitor unauthorized API calls.


Prerequisites:

  1. IAM Permissions Required:

    • cloudtrail:DescribeTrails

    • cloudtrail:GetTrailStatus

    • logs:DescribeMetricFilters

    • logs:PutMetricFilter

    • cloudwatch:PutMetricAlarm

    • sns:CreateTopic

    • sns:Subscribe

  2. AWS CloudTrail must be enabled across all regions.

  3. Amazon CloudWatch Logs must be integrated with CloudTrail.


Remediation:

Test Plan:

If using CloudTrail and CloudWatch, perform the following steps to ensure that:

  • A multi-region CloudTrail trail is active.

  • The metric filter for unauthorized API calls is correctly configured.

  • A CloudWatch alarm is in place to detect unauthorized API calls.

Step 1: Verify CloudTrail is Multi-Region and Logging is Active

aws cloudtrail describe-trails

  • Ensure IsMultiRegionTrail is true.

aws cloudtrail get-trail-status --name <trail-name>
  • Ensure IsLogging is true.
aws cloudtrail get-event-selectors --trail-name <trail-name>

  • Ensure IncludeManagementEvents is true and ReadWriteType is All.

Step 2: Check if a Metric Filter Exists for Unauthorized API Calls

aws logs describe-metric-filters --log-group-name <trail-log-group-name>
  • Ensure output includes:
{
  "filterPattern": "{ ($.errorCode =\"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\") }"
}

Step 3: Verify CloudWatch Alarm Exists for Unauthorized API Calls

aws cloudwatch describe-alarms --query "MetricAlarms[?MetricName == 'unauthorized_api_calls_metric']"

  • Ensure alarm exists and is associated with an SNS topic.

Step 4: Confirm SNS Topic Has Active Subscriptions

aws sns list-subscriptions-by-topic --topic-arn <sns-topic-arn>
  • Ensure at least one valid subscription exists.


Implementation Steps:


Step 1: Create a CloudWatch Metric Filter

aws logs put-metric-filter \
  --log-group-name <trail-log-group-name> \
  --filter-name unauthorized-api-calls-metric \
  --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 \
  --filter-pattern "{ ($.errorCode =\"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\") }"

Step 2: Create an SNS Topic

aws sns create-topic --name security-alerts

Step 3: Subscribe to SNS Topic

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint security-team@example.com

Step 4: Create a CloudWatch Alarm

aws cloudwatch put-metric-alarm \
  --alarm-name "unauthorized_api_calls_alarm" \
  --metric-name "unauthorized_api_calls_metric" \
  --namespace "CISBenchmark" \
  --statistic Sum \
  --period 300 \
  --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <sns-topic-arn>

Remediation:

  1. Review unauthorized API calls logged in CloudTrail.

  2. Investigate IAM policies to verify access permissions.

  3. Grant or revoke access based on the security review.

  4. Update the CloudWatch alarm thresholds if excessive alerts occur.


Backout Plan:

  • If excessive false alerts occur, update the metric filter to exclude known benign errors.

  • If incorrect changes were applied, use aws cloudwatch delete-alarms to remove the CloudWatch alarm.

  • If necessary, unsubscribe from the SNS topic using aws sns unsubscribe --subscription-arn <subscription-arn>.


References:

  1. AWS CloudTrail Documentation

  2. Amazon CloudWatch Alarms

  3. AWS SNS Documentation

  4. AWS IAM Best Practices