Severity : High
Description : Sending CloudTrail logs to CloudWatch is only useful if metrics are setup to detect risky activity from those logs. There are numerous metrics that should be used. For the exact filter patterns, please see this plugin on GitHub: https://github.com/cloudsploit/scans/blob/master/monitoringMetrics.
Remediation Steps : Enable metric filters to detect malicious activity in CloudTrail logs sent to CloudWatch.
Description: This control ensures that CloudWatch monitoring metrics are configured to show the reliability, availability and performance of EC2. CloudWatch Metrics are data about the performance of systems and are grouped namespace, and then by the various dimension combinations within each namespace. Metric enables to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics and visualize the resulting time series on the CloudWatch console and add them to dashboards.
Remediation Steps:
Perform following to configure CloudWatch log metrics monitoring :
Login to the AWS Management Console at https://console.aws.amazon.com
Go to CloudWatch in services
In navigation panel, choose Metrics, All metrics.
Choose the Query.
To run a pre-built sample query, choose Add query and select the query to run. To modify the query, choose Editor to edit the sample query and then choose Run to run the modified query.
To create new query using Builder view or the Editor view , open them and type the query, and to run choose Run.
Perform following to create Graph on the metric :
In the navigation pane, choose Metrics.
On the All metrics tab, enter a search term in the search field, such as a metric name or resource name, and press Enter.
To graph one or more metrics, select the check box next to each metric.
Choose View graphed metrics.
To change the statistic used in the graph, choose the new statistic in the Statistic column next to the metric name.
To change the type of graph, choose Graph options.
To add your graph to a dashboard, choose Actions, Add to dashboard.
Perform following to create Alarm for monitoring the metric :
navigation panel, choose Metrics.
Select a metric namespace and then a metric dimension.
Choose the Graphed metrics.
For Actions, choose the alarm icon.
Under Conditions, choose Static or Anomaly detection to specify whether to use a static threshold or anomaly detection model for the alarm.
Choose Additional configuration. For Datapoints to alarm, specify how many evaluation periods must be in the ALARM state to trigger the alarm.
For Missing data treatment, choose how to have the alarm behave when some data points are missing.
Choose Next.
Under Notification, select an SNS topic to notify when the alarm is in ALARM state, OK state, or INSUFFICIENT_DATA state.
To have the alarm perform Auto Scaling or EC2 actions, choose the appropriate button and choose the alarm state and action to perform.
When finished, choose Next.
Enter a name and description for the alarm. The name must contain only ASCII characters. Then choose Next.
Under Preview and create, confirm that the information and conditions are what you want, then choose Create alarm.
Important:
Metrics that have not had any new data points in the past two weeks do not appear in the console. They also do not appear when type their metric name or dimension names in the search box in the All metrics tab in the console.
Reference:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/getting-metric-statistics.html
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/graph_metrics.html