Profile Applicability

  • Level 1

Description:

Monitoring unauthorized API calls is a critical step in maintaining the security of an AWS environment. Unauthorized API calls can indicate a potential security threat or attempt to exploit vulnerabilities in your AWS resources. These may include attempts to access services or perform actions for which the user does not have appropriate permissions.

By tracking and monitoring unauthorized API calls, organizations can quickly identify potential security incidents, investigate unauthorized access attempts, and enforce the principle of least privilege across their AWS environment.

Rationale:

Unauthorized API calls can lead to:

  • Unauthorized access to AWS resources.

  • Data breaches or loss if sensitive data is exposed.

  • Violations of security policies and non-compliance with regulatory requirements (e.g., SOC 2, HIPAA).

Monitoring unauthorized API calls ensures that all access attempts are legitimate and properly authorized, reducing the risk of a breach and maintaining the integrity of AWS environments.

Impact:

Failure to monitor unauthorized API calls can result in:

  • Lack of visibility into potentially malicious activity.

  • Increased vulnerability to attacks, data exfiltration, or accidental exposure of sensitive data.

  • Non-compliance with security standards and regulations.

Monitoring these events helps detect unauthorized access attempts, preventing potential security incidents and improving compliance posture.

Default Value:

AWS CloudTrail by default logs all API calls, including unauthorized ones. However, organizations must configure AWS CloudWatch to actively monitor these logs and set up alerts for unauthorized access attempts.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • cloudtrail:LookupEvents

    • cloudwatch:PutMetricData

    • cloudwatch:DescribeAlarms

  • AWS CloudTrail enabled for logging all API calls

  • AWS CloudWatch configured to monitor unauthorized API calls

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the CloudTrail Console.

  2. Ensure that Management Events are enabled for logging all API calls, including failed attempts.

  3. Go to the CloudWatch Console to confirm that CloudWatch is configured to monitor and alert on unauthorized API calls.

Using AWS CLI:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=UnauthorizedOperation --query "Events" --output table

To verify CloudWatch monitoring for unauthorized API calls:

aws cloudwatch describe-alarms --query "MetricAlarms[?AlarmName=='UnauthorizedApiCallAlarm']" --output table
Implementation Plan:

Using AWS Console:

  1. Ensure CloudTrail is logging all API calls:

    • Go to the CloudTrail Console.

    • Ensure Management Events are enabled, especially for logging UnauthorizedOperation or any failed API calls.

    • Ensure logs are being stored in an S3 bucket for long-term retention and auditing.

  2. Set up CloudWatch metrics and alarms for unauthorized API calls:

    • In the CloudWatch Console, create a custom metric filter to track UnauthorizedOperation events or failed ConsoleLogin events.

    • Set up a CloudWatch alarm to trigger when unauthorized API calls exceed a threshold.

Using AWS CLI:

  1. Verify CloudTrail logging for unauthorized API calls:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=UnauthorizedOperation --query "Events" --output table

  1. Set up CloudWatch to monitor unauthorized API calls:

aws cloudwatch put-metric-alarm --alarm-name "UnauthorizedApiCallAlarm" --metric-name "UnauthorizedApiCalls" --namespace "AWS/CloudTrail" --statistic "Sum" --period 300 --threshold 1 --comparison-operator "GreaterThanOrEqualToThreshold" --evaluation-periods 1 --actions-enabled

Backout Plan:

Using AWS Console:

  1. If monitoring unauthorized API calls creates excessive alarms or logs:

    • Go to the CloudWatch Console.

    • Adjust the threshold or modify the metric filter to reduce the number of triggered alarms.

    • Optionally, disable the alarm temporarily if it’s generating too many notifications.

  2. If CloudTrail logging causes performance issues:

    • Modify CloudTrail settings to reduce the scope of logged events, or exclude non-critical API calls.

Using AWS CLI:

  1. Temporarily disable CloudWatch alarms:

aws cloudwatch disable-alarm-actions --alarm-name "UnauthorizedApiCallAlarm"

  1. Stop logging unauthorized API calls in CloudTrail:

aws cloudtrail update-trail --name <trail-name> --no-log-management-events

  1. Re-enable monitoring once issues are resolved:

aws cloudwatch enable-alarm-actions --alarm-name "UnauthorizedApiCallAlarm"
aws cloudtrail update-trail --name <trail-name> --log-management-events

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services