Profile Applicability:

  • Level 2

Description:

AWS CloudWatch allows you to share log groups and metrics across accounts. Cross-account sharing is essential when centralizing logs or metrics from different AWS accounts for monitoring and troubleshooting. This check verifies whether CloudWatch cross-account sharing has been enabled to ensure seamless integration and data visibility across accounts.

Rationale:

Enabling CloudWatch cross-account sharing allows centralized management of logs and metrics from different AWS accounts. It ensures efficient monitoring across multiple accounts, providing better visibility into resources spread across AWS environments. This setup can be beneficial for security operations, auditing, and monitoring purposes.

Impact:

  • Positive Impact: Allows you to centralize monitoring and logging from multiple AWS accounts, making it easier to manage and analyze resources.

  • Negative Impact: If misconfigured, it may expose sensitive log data or metrics across accounts, leading to unauthorized access.

Default Value:

By default, CloudWatch does not have cross-account sharing enabled. It must be explicitly configured to share logs, metrics, and alarms with other AWS accounts.

Pre-Requisite:

  • AWS Account Access: Ensure you have permissions to manage CloudWatch settings and cross-account access configurations.

  • IAM Permissions: Permissions to manage CloudWatch resources and configure cross-account access (e.g., cloudwatch:PutMetricData, cloudwatch:PutDashboard, logs:PutLogEvents).

Remediation:

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudWatch Console at https://console.aws.amazon.com/cloudwatch/.

  3. On the left panel, choose Logs.

                     

  1. Click on the Log groups tab.

                     

  1. For each log group, click on Actions and check if there is a "Share across accounts" option. If the sharing option is not configured, enable cross-account sharing.

                 

  1. You can also navigate to Alarms or Metrics in CloudWatch and verify the sharing settings for those resources in the same manner.

                                 

Using AWS CLI:

Run the following AWS CLI command to check the status of cross-account sharing for CloudWatch logs:

aws logs describe-log-groups --query 'logGroups[*].arn'

To share a log group with another account, run the following command:

 aws logs associate-kms-key --log-group-name <log-group-name> --kms-key-id <kms-key-id>

  1.  This command associates the CloudWatch log group with a KMS key that can be used for cross-account access.

To check for cross-account sharing of CloudWatch metrics, use:

 aws cloudwatch describe-alarms --query 'MetricAlarms[*].Arn'

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudWatch Console.

  3. In the left panel, select Logs, Metrics, or Alarms, depending on what you need to share.

                   

  1. Click Actions, then select Share across accounts or Set cross-account sharing.

                         

  1. Follow the prompts to configure sharing, including specifying the AWS account IDs with which you want to share resources.

  2. Click Save or Apply to complete the configuration.                  

Using AWS CLI:

Ensure CloudWatch logs, metrics, or alarms are enabled for sharing across accounts:

aws logs associate-kms-key --log-group-name <log-group-name> --kms-key-id <kms-key-id>

Use the following to enable cross-account sharing of CloudWatch logs and metrics:

 aws cloudwatch put-metric-data --namespace <namespace> --metric-name <metric-name> --value <value> --dimensions <dimension> --region <region>


Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudWatch > Settings > Cross-Account Sharing.

  3. If you need to revoke cross-account sharing:

    • Locate the specific account or permission settings that were enabled for sharing.

    • Remove the shared accounts by editing or deleting the permissions.

  4. Save the updated settings to finalize the changes.

Using AWS CLI:

Retrieve the current resource policies for CloudWatch:
aws logs describe-resource-policies

  1. Identify the policy associated with cross-account sharing and note the policyName.

Remove the cross-account sharing policy:

aws logs delete-resource-policy --policy-name <policy-name>

  1. Verify that the policy has been removed:
    aws logs describe-resource-policies

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

3.3

Configure Data Access Control Lists (ACL) for shared resources.

v8

4.5

Implement and manage firewall rules for shared resources.