Profile Applicability:

  • Level 1

Description:

This control ensures that AWS CloudTrail log data is monitored for any changes made to Identity and Access Management (IAM) policies. A CloudWatch metric filter and corresponding alarm should be configured to detect and alert when IAM policies are created, updated, deleted, or attached/detached from users, groups, or roles. Monitoring IAM policy changes is critical to maintaining the integrity of access control within the AWS environment.


Rationale:

IAM policies define permissions for AWS users, roles, and services. Unauthorized or unintended modifications to IAM policies can lead to privilege escalation, unauthorized access, and potential data breaches. Establishing alerts for IAM policy changes ensures visibility into access control modifications, enabling rapid detection and response to potential security risks.


Impact:

  • Positive Impact:Provides visibility into changes that affect user and role permissions.Helps detect unauthorized privilege escalations or policy misconfigurations.Supports compliance by maintaining proper access control auditability.
  • Negative Impact:Slight increase in CloudWatch log ingestion and alerting costs.


Default Value:

By default, AWS does not provide a metric filter or alarm for IAM policy changes. Manual configuration is required.


Pre-Requisite:

  • CloudTrail must be enabled in all regions.

  • CloudTrail logs must be delivered to a CloudWatch Logs group.

  • IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudWatch → Logs → Log groups.

  3. Locate the CloudTrail log group (typically named /aws/cloudtrail/...).

  4. Select Create metric filter.

  5. Enter the following filter pattern to detect IAM policy changes:

  6. Assign a metric name such as IAMPolicyChangeEvents.

  7. Go to CloudWatch → Alarms → Create alarm.

  8. Create an alarm for the IAMPolicyChangeEvents metric.

  9. Set a threshold (e.g., ≥ 1 occurrence within 5 minutes) and configure SNS notifications to alert the security team.

  10. Save the configuration.


Implementation Plan

Using AWS Console:

  1. Go to CloudWatch → Logs → Log groups.
  2. Open the CloudTrail log group.
  3. Choose Create metric filter and use the following pattern:
  4. Set Metric Name: IAMPolicyChangeEvents.
  5. Create an Alarm:
    • Metric: IAMPolicyChangeEvents
    • Namespace: CISBenchmark
    • Condition: ≥ 1 in 5 minutes
    • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)
  6. Save all configurations.


Backout Plan

Using AWS Console:

  1. Go to CloudWatch → Alarms.

  2. Select the IAMPolicyChangeEventsAlarm.

  3. Choose Actions → Delete.

  4. Go to Logs → Metric Filters.

  5. Delete the IAMPolicyChangeEvents filter.


References: