AWS-CloudTrail-CloudTrail-Data-Events

Severity : High

Description: This control ensures that CloudWatch alarm exists for cloud trail events to monitor unauthorized API calls. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity. This control checks for that account has at least one Active Multi-region Cloud trail that captures all management events, this Cloud Trail has a metric filter with recommended filter pattern, Corresponding metric filter has Alarm Actions set to an SNS Topic and Corresponding SNS Topic have active subscribers with at least one valid Subscriber. It is recommended that a metric filter and alarm be established for unauthorized API calls.

Remediation Steps:

Perform following to update CloudTrail metric filter and alarm :

1. Login to the AWS Management Console at https://console.aws.amazon.com

2. Create a metric filter

   1. Navigate to CloudWatch service.

   2. left navigation pane, Click on Logs.

   3. choose the log group for CloudTrail log events reprted.

   4. Choose Actions, and then choose Create metric filter.

   5. On the Define pattern page, in Create filter pattern, enter the following for Filter pattern

      • { ($.eventType = AwsApiCall) }

   6. In Test pattern, leave defaults. Choose Next.

   7. On the Assign metric page, for Filter name, enter event name S3ApiCallEvents.

   8. In Metric details, turn on Create new, and then enter CloudTrailMetrics for Metric namespace.

   9. For Metric name, type S3ApiCallEventsCount.

   10. For Metric value, type 1.

   11. Leave Default value blank.

   12. Choose Next.

   13.  Review and create page, Choose Create metric filter , Select an SNS topic, choose Create new and configure the topic description.

3. Create alarm for the filter

   1. On CloudWatch Logs log group details page.

   2. On the Metric filters tab, choose Create alarm.

   3. On the Create Alarm page, in Specify metric and conditions.

   4. On the Configure actions page, choose In alarm.

   5. Choose Next.

   6. On the Add name and description , enter name for alarm and description. Choose Next.

   7. On the Preview and create, choose Create alarm to create the alarm.

4. CloudWatch opens the Alarms page. The alarm's Actions column shows Pending confirmation until all email recipients on the SNS topic have confirmed.

5.  

Important:

Reference:

• CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #4.1

• https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-authorization-failures