- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Real-time monitoring of API calls can be achieved by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Datadog recommends establishing a metric filter and an alarm for unauthorized API calls.
Monitoring unauthorized API calls helps reveal application errors and may reduce time to detect malicious activity.
This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don’t have permissions.
If an excessive number of alerts are being generated, then an organization may consider adding read access to the limited IAM user permissions to quiet the alerts.
In some cases, doing this may allow the users to actually view some areas of the system — any additional access given should be reviewed for alignment with the original limited IAM user intent.
Perform the following to set up the metric filter, alarm, SNS topic, and subscription:
Retrieve the CloudTrail log group name.
aws cloudtrail describe-trails
Create a metric filter based on the filter pattern provided, which checks for IAM policy changes and the <cloudtrail_log_group_name>
.
aws logs put-metric-filter --log-group-name "cloudtrail_log_group_name" --filter-name "<unauthorized_api_calls_metric>" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern "{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") || ($.sourceIPAddress!="delivery.logs.amazonaws.com") ||
($.eventName!="HeadBucket") }"
multi-region
and isLogging
is set True
.IncludeManagementEvents
set to True
and ReadWriteType
set to All
.Note: You can choose your own metricName
and metricNamespace
strings. Use the same metricNamespace
for all Foundations Benchmark metrics to group them together.
Create an SNS topic that the alarm notifies.
aws sns create-topic --name <sns_topic_name>
Note: You can execute this command once and then reuse the same topic for all monitoring alarms. Capture the topic ARN displayed when creating the SNS topic in step 2.
Create an SNS subscription to the topic created in step 2.
aws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol<protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
Note: You can execute this command once and then reuse the SNS subscription for all monitoring alarms.
aws cloudwatch put-metric-alarm --alarm-name "unauthorized_api_calls_alarm"--metric-name "unauthorized_api_calls_metric" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions<sns_topic_arn>
Configuring a log metric filter and alarm on multi-region (global) CloudTrail ensures the following: