A metric filter and alarm should exist for unauthorized API calls
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Real-time monitoring of API calls can be achieved by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Datadog recommends establishing a metric filter and an alarm for unauthorized API calls.
Rationale
Monitoring unauthorized API calls helps reveal application errors and may reduce time to detect malicious activity.
Impact
This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don’t have permissions.
If an excessive number of alerts are being generated, then an organization may consider adding read access to the limited IAM user permissions to quiet the alerts.
In some cases, doing this may allow the users to actually view some areas of the system — any additional access given should be reviewed for alignment with the original limited IAM user intent.
Perform the following to set up the metric filter, alarm, SNS topic, and subscription:
From the command line
Retrieve the CloudTrail log group name.
aws cloudtrail describe-trails
Create a metric filter based on the filter pattern provided, which checks for IAM policy changes and the <cloudtrail_log_group_name>
.
aws logs put-metric-filter --log-group-name "cloudtrail_log_group_name" --filter-name "<unauthorized_api_calls_metric>" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern "{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") || ($.sourceIPAddress!="delivery.logs.amazonaws.com") ||
($.eventName!="HeadBucket") }"
- Ensure CloudTrail is set to
multi-region
and isLogging
is set True
. - Ensure there is at least one Event Selector with
IncludeManagementEvents
set to True
and ReadWriteType
set to All
.
Note: You can choose your own metricName
and metricNamespace
strings. Use the same metricNamespace
for all Foundations Benchmark metrics to group them together.
Create an SNS topic that the alarm notifies.
aws sns create-topic --name <sns_topic_name>
Note: You can execute this command once and then reuse the same topic for all monitoring alarms. Capture the topic ARN displayed when creating the SNS topic in step 2.
Create an SNS subscription to the topic created in step 2.
aws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol<protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: You can execute this command once and then reuse the SNS subscription for all monitoring alarms.
- Create an alarm that is associated with the CloudWatch Logs metric filter created in step 1 and an SNS topic created in step 2.
aws cloudwatch put-metric-alarm --alarm-name "unauthorized_api_calls_alarm"--metric-name "unauthorized_api_calls_metric" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions<sns_topic_arn>
Configuring a log metric filter and alarm on multi-region (global) CloudTrail ensures the following:
- Activities from all regions (used as well as unused) are monitored.
- Activities on all supported global services are monitored.
- All management events across all regions are monitored.
References
- https://aws.amazon.com/sns/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html
- https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html