Profile Applicability:
 Level 1

Description:

AWS CloudWatch Alarms monitor specific metrics and can trigger actions when these metrics reach defined thresholds. Ensuring that these alarms have actions enabled allows for automated responses, such as sending notifications or executing corrective measures, thereby enhancing system reliability and operational efficiency.

Rationale:

Configuring actions for CloudWatch Alarms ensures timely and appropriate responses to metric threshold breaches. This proactive approach aids in swift issue resolution, minimizes downtime, and maintains system health by notifying stakeholders or initiating corrective measures without manual intervention.

Impact:

  • Positive Impact: Automated responses to alarm conditions lead to faster issue detection and resolution, reducing the potential impact on system performance and availability.

  • Negative Impact: Minimal, though it requires ensuring that action targets (e.g., SNS topics, Lambda functions) are correctly configured and accessible.

Default Value:

By default, CloudWatch Alarms are created without any actions enabled. Actions must be explicitly configured to be active.

Pre-Requisite:

  • IAM Permissions: Ensure that you have the necessary permissions to view and modify CloudWatch Alarms and their actions.

  • AWS Services: CloudWatch, SNS (for notifications), Lambda (for custom actions), Auto Scaling (for scaling actions).

  • Tools Required: AWS Management Console, AWS CLI.

Remediation:

Test Plan

Using AWS Console:

  1. Sign In: Log in to the AWS Management Console.

  2. Navigate to CloudWatch: Go to the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  3. Access Alarms: In the navigation pane, click on Alarms.

  4. Select Alarms: Review the list of alarms and select each one to check its action configurations.

  5. Edit Actions: For alarms lacking actions, click Actions, then Edit.

  6. Configure Actions: In the Actions section, ensure that actions are enabled for the desired states (ALARM, INSUFFICIENT_DATA, OK).

  7. Save Changes: Click Save changes to apply any updates.

Using AWS CLI:

List Alarms: Run the following command to list all CloudWatch alarms and their action statuses:

aws cloudwatch describe-alarms --query 'MetricAlarms[].{AlarmName:AlarmName, ActionsEnabled:ActionsEnabled}'

Enable Actions: For alarms without actions enabled, use the following command to enable them:

aws cloudwatch enable-alarm-actions --alarm-names "YourAlarmName"

  1.  Replace "YourAlarmName" with the name of your alarm.

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudWatch > Alarms.

  3. Identify the alarm for which actions were recently enabled.

  4. Select the alarm and click Actions > Edit.

  5. Remove or disable the configured action(s) under the Actions section. Leave it blank if actions are no longer required.

  6. Save the changes to finalize the update and revert the alarm configuration.

Using AWS CLI:

Retrieve the current configuration of the specific alarm:

aws cloudwatch describe-alarms --alarm-names <alarm-name>

Remove the enabled actions from the alarm:

aws cloudwatch put-metric-alarm \
--alarm-name <alarm-name> \
--alarm-actions []

  1. Confirm the changes by retrieving the updated configuration:

    aws cloudwatch describe-alarms --alarm-names <alarm-name>

References:

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

16.10

Deploy Alerting Mechanisms – Ensure that alerts are generated and acted upon when thresholds or suspicious activities are detected.

v8

13.11

Implement Automated Security Event Response – Use automation to respond to detected security events.