AWS-Monitoring-Unauthorized-API-Call-Log-Metric
Severity : Medium
Description: This control checks if CloudWatch alarm exists for cloud trail events to monitor unauthorized API calls. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity. It is recommended that a metric filter and alarm be established for unauthorized API calls.
Remediation Steps:
Perform following to configure Monitoring unauthorized API call :
Create the cloud trail for the API calls
Login to the AWS Management Console at https://console.aws.amazon.com
Go to CloudTrail in services
On Trails section of the Dashboard , choose Create trail.
For Trail name, type a name.
For organization trail, choose to enable the trail for all accounts in organization.
For Storage location, choose Create new S3 bucket or Use existing S3 bucket. if using existing bucket, specify a bucket in Trail log bucket name,
Create a folder and Enter the folder name in Prefix. This helps organize logs in bucket.
For Log file SSE-KMS encryption, choose Enabled.
In Additional settings, For Log file validation, choose Enabled.
Configure CloudTrail to send log files to CloudWatch Logs by choosing Enabled in CloudWatch Logs.
For Tags, add one or more custom tags.
On the Choose log events, In Management events for API activity, choose if to log Read events and Write events both.
Choose Next.
Choose Create trail.
Create a metric filter for the API call log
Go to CloudWatch in services.
In the navigation, choose Logs.
In the list of log groups, choose the log group that was created for CloudTrail API log events above.
Choose Actions, and then choose Create metric filter.
On the Define pattern page, in Create filter pattern, enter the following for Filter pattern.
{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }
In Test pattern, leave defaults. Choose Next.
On the Assign metric page, for Filter name, enter unauthorized_api_calls_metric.
In Metric details, turn on Create new, and enter CISBenchmark for Metric namespace. For Metric name, Enter UnauthorizedApiCallsMetric, For Metric value, type 1, Leave Default value blank.
Choose Next.
Choose Create metric filter to create the filter.
Create an alarm for log Event for API Call
On the Metric filters tab, find the metric filter.
Check the box for the metric filter.
In the Metric filters, choose Create alarm.
On the Create Alarm, Enter following in Specify metric and conditions
1 for Graph
Sum for Statistic
5 minute for Period.
In Conditions, for Threshold type, choose Static.
1 for Threshold.
Choose Next.
On the Configure actions, choose In alarm for in alarm state
For Select an SNS topic, choose Create new.
For SNS topic name, enter UnauthorizedApiCallsAlarmTopic.
For Email endpoints that will receive the notification, enter email addresses of users who want to receive notifications.
Choose Create topic.
Choose Next.
On the Add name and description, enter alarm name and description.
Choose Next.
On the Preview and create, choose Create alarm.
Important:
Reference:
CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #4.1
Blue Hexagon Proprietary