Unauthorized API calls should be monitored

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Real-time monitoring of API calls can be achieved by sending CloudTrail logs to CloudWatch Logs and establishing metric filters and alarms. It is recommended to set up a metric filter and alarm for detecting unauthorized API calls to enhance security awareness and reduce time in identifying potential malicious activity.

Remediation

For instructions on setting up CloudWatch metric filters and alarms for unauthorized API calls, refer to the AWS CloudWatch Alarms for CloudTrail User Guide.

aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name <unauthorized-api-calls-metric> --metric-transformations \
metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 \
--filter-pattern "{ ($.errorCode =\"*UnauthorizedOperation\") || ($.errorCode =\"AccessDenied*\") && \
($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && \
($.eventName!=\"HeadBucket\") }"

Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.