Profile Applicability:

  • Level 1


Description:

This control ensures that AWS CloudTrail log data is monitored for unauthorized API calls made to AWS services. A CloudWatch metric filter and corresponding alarm must be created to detect and alert when API calls are denied due to missing permissions or invalid credentials. Monitoring unauthorized API calls helps identify potential brute-force attacks, privilege escalation attempts, or misconfigured IAM permissions.


Rationale:

Unauthorized API calls often indicate attempts to access resources without proper permissions or potential reconnaissance by threat actors. By creating a metric filter and alarm for these events, organizations gain visibility into security misconfigurations and possible intrusion attempts. Early detection of unauthorized activities strengthens an organization’s ability to respond quickly and maintain least privilege access principles.


Impact:

  • Positive Impact:Provides early detection of unauthorized access attempts.Enhances visibility into potential misconfigurations or malicious activities.Supports compliance and audit requirements for security monitoring.
  • Negative Impact:Slight increase in CloudWatch costs for log monitoring and metric storage.


Default Value:

By default, AWS does not provide a metric filter or alarm for unauthorized API calls. Manual configuration is required.


Pre-Requisite:

  • CloudTrail must be enabled for all regions.
  • CloudTrail logs must be delivered to a CloudWatch Logs group.
  • IAM permissions required: logs:PutMetricFilter, cloudwatch:PutMetricAlarm, and cloudwatch:DescribeAlarms.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudWatch → Logs → Log groups.

  3. Locate the CloudTrail log group (typically named /aws/cloudtrail/...).

  4. Select Create metric filter.

  5. Enter the following filter pattern to detect unauthorized API calls:

  6. Assign a metric name such as UnauthorizedAPICalls.

  7. Go to CloudWatch → Alarms → Create alarm.

  8. Create an alarm for the UnauthorizedAPICalls metric.

  9. Set a threshold (e.g., ≥ 1 occurrence in 5 minutes) and configure SNS notifications to alert the security team.

  10. Save the configuration.



Implementation Plan

Using AWS Console:

  1. Go to CloudWatch → Logs → Log groups.

  2. Open the CloudTrail log group.
  3. Choose Create metric filter and use the following pattern:
  4. Set Metric Name: UnauthorizedAPICalls.
  5. Create an Alarm:
    • Metric: UnauthorizedAPICalls
    • Namespace: CISBenchmark
    • Condition: ≥ 1 in 5 minutes
    • Actions: Send notification to security team via SNS topic (e.g., aws-security-alerts)
  6. Save all changes.


Backout Plan

Using AWS Console:

  1. Go to CloudWatch → Alarms.
  2. Select the UnauthorizedAPICallsAlarm.
  3. Choose Actions → Delete.
  4. Go to Logs → Metric Filters.
  5. Delete the UnauthorizedAPICalls filter.


References: