--- title: Cloudwatch CloudTrail configuration changes alarm missing description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Cloudwatch CloudTrail configuration changes alarm missing --- # Cloudwatch CloudTrail configuration changes alarm missing {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-cloudwatch-cloudtrail-configuration-changes-alarm-missing` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) ### Description{% #description %} This check ensures that a CloudWatch log metric filter and corresponding alarm are correctly configured to monitor for changes to AWS CloudTrail settings, such as create, update, or delete operations. If the `aws_cloudwatch_metric_alarm` does not reference the proper metric filter (for example, if the `metric_name` is not set to `aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.id`, but instead uses an incorrect value), critical modifications to CloudTrail could go undetected. This misconfiguration can lead to a lack of visibility into potentially malicious activities, such as disabling or modifying CloudTrail to conceal unauthorized actions, ultimately undermining auditability and security monitoring. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { name = "CIS-CloudTrailChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-CloudTrailChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { alarm_name = "CIS-3.5-CloudTrailChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { name = "CIS-CloudTrailChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-CloudTrailChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { alarm_name = "CIS-3.5-CloudTrailChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = "XXXX NOT YOUR FILTER XXXX" namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ``` ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { name = "CIS-UnauthorizedAPICalls" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-UnauthorizedAPICalls" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { alarm_name = "CIS-3.1-UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] insufficient_data_actions = [] } ``` ```terraform resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { name = "CIS-CloudTrailChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name metric_transformation { name = "CIS-CloudTrailChanges" namespace = "CIS_Metric_Alarm_Namespace" value = "1" } } resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { alarm_name = "CIS-3.5-CloudTrailChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.id namespace = "CIS_Metric_Alarm_Namespace" period = "300" statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] insufficient_data_actions = [] } ```