Unauthorized API calls should be monitored
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
Real-time monitoring of API calls can be achieved by sending CloudTrail logs to CloudWatch Logs and establishing metric filters and alarms. It is recommended to set up a metric filter and alarm for detecting unauthorized API calls to enhance security awareness and reduce time in identifying potential malicious activity.
For instructions on setting up CloudWatch metric filters and alarms for unauthorized API calls, refer to the AWS CloudWatch Alarms for CloudTrail User Guide.
aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name <unauthorized-api-calls-metric> --metric-transformations \
metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 \
--filter-pattern "{ ($.errorCode =\"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && \
($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && \
($.eventName!=\"HeadBucket\") }"
Note: You can choose your own metricName
and metricNamespace
strings. Using the same metricNamespace
for all Foundations Benchmark metrics will group them together.