Profile Applicability:

  • Level 1

Description:

It is essential to monitor changes to your AWS Organizations for auditing and security purposes. Using AWS CloudWatch, you can set up a metric filter and alarm to track any changes within the AWS Organizations service. This check ensures that any organizational changes are captured and reported via CloudWatch.

Rationale:

AWS Organizations is a service used to manage multiple AWS accounts in a consolidated environment. Any modifications to the organization can impact security and governance. By setting up a log metric filter and alarm for AWS Organizations changes, you can ensure that security teams are notified of any changes, such as the creation of new accounts or changes to policies, in real-time.

Impact:

  • Positive Impact: Provides real-time monitoring of organizational changes, which helps in identifying unauthorized or accidental changes quickly.

  • Negative Impact: Misconfiguration could lead to missed alerts or false positives, leading to potential security blind spots.

Default Value:

By default, AWS Organizations changes are not tracked with a log metric filter and alarm. You need to set up these resources manually to monitor for such events.

Pre-Requisite:

  • Permissions Required: IAM permissions to read CloudTrail logs and configure CloudWatch logs and alarms.

  • AWS Services: CloudTrail and CloudWatch must be enabled to capture and monitor logs.

  • Logging: Ensure AWS CloudTrail is enabled to log API activity for AWS Organizations.

Remediation:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudWatch Console at https://console.aws.amazon.com/cloudwatch/.

  3. In the left navigation pane, select Logs. 

                       

  1. Under the Log Groups section, click on Create Metric Filter.

                               

  1. Select the Log Group that contains the CloudTrail logs

             

In the filter pattern, use the following to capture AWS Organizations changes:
 {($.eventSource = "organizations.amazonaws.com")}

  1. Set up the metric transformation to create a new metric, for example, AWS_Organizations_Changes.

                     

  1. After saving the metric filter, navigate to Alarms in the CloudWatch Console.

                 

                                     

  1. Choose Create Alarm and select the metric you created (AWS_Organizations_Changes).

                                   

  1. Configure the alarm to send notifications via SNS or another notification method.

                     


Using AWS CLI:

Run the following CLI command to create a metric filter for AWS Organizations changes:

 aws logs put-metric-filter --log-group-name <log-group-name> \
  --filter-name AWS_Organizations_Changes_Filter \
  --filter-pattern '{($.eventSource = "organizations.amazonaws.com")}' \
  --metric-transformations 
 metricName=AWS_Organizations_Changes,metricNamespace='AWS/Organizations',metricValue=1

Create a CloudWatch alarm based on the metric filter:

 aws cloudwatch put-metric-alarm --alarm-name AWS_Organizations_Changes_Alarm \
  --metric-name AWS_Organizations_Changes --namespace 'AWS/Organizations' \
  --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 --alarm-actions <sns-topic-arn>

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudWatch Console.

                           

  1. In the left panel, select Logs.

                                 

  1. For the Log Group, click on Create Metric Filter.

                             

  1. Define the filter pattern for capturing AWS Organizations events.

                 

  1. Set the metric transformation to create a custom metric for these events.

  2. In the CloudWatch Alarms section, create an alarm based on this new metric.

                   

  1. Configure the alarm action to send notifications, such as an SNS topic or email.

           

Using AWS CLI:

Create a Metric Filter:

 aws logs put-metric-filter --log-group-name <log-group-name> \
  --filter-name AWS_Organizations_Changes_Filter \
  --filter-pattern '{($.eventSource = "organizations.amazonaws.com")}' \
  --metric-transformations \
  metricName=AWS_Organizations_Changes,metricNamespace='AWS/Organizations',metricValue=1

Create a CloudWatch Alarm:

 aws cloudwatch put-metric-alarm --alarm-name AWS_Organizations_Changes_Alarm \
  --metric-name AWS_Organizations_Changes --namespace 'AWS/Organizations' \
  --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 --alarm-actions <sns-topic-arn>

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudWatch > Logs > Log Groups.

  3. Select the Log Group associated with AWS Organizations changes.

  4. Locate the Log Metric Filter that was previously created. If necessary, delete it:

    • Go to Metric Filters and select the metric filter you want to remove.

    • Click Delete and confirm the action.

  5. Navigate to Alarms within CloudWatch.

  6. Identify the alarm created for AWS Organizations changes. Delete it:

    • Select the alarm you want to remove.

    • Click Actions > Delete and confirm.

Using AWS CLI:

List all metric filters to identify the one associated with AWS Organizations changes:

aws logs describe-metric-filters --log-group-name <log-group-name>
Delete the specific metric filter:
aws logs delete-metric-filter \
--log-group-name <log-group-name> \
--filter-name <filter-name>

List all CloudWatch alarms to identify the alarm created for AWS Organizations changes:
aws cloudwatch describe-alarms

  1. Delete the specific alarm:

References:

CIS Controls Mapping:

Control Version

Control ID

Control Description

v8

8.11

Conduct Audit Log Reviews and create alerts for suspicious activity

v7

6.3

Enable system logging and set up alerts for unusual events