For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-cloudwatch-cloudtrail-configuration-changes-alarm-missing.md.
A documentation index is available at /llms.txt.
This check ensures that a CloudWatch log metric filter and corresponding alarm are correctly configured to monitor for changes to AWS CloudTrail settings, such as create, update, or delete operations. If the aws_cloudwatch_metric_alarm does not reference the proper metric filter (for example, if the metric_name is not set to aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.id, but instead uses an incorrect value), critical modifications to CloudTrail could go undetected. This misconfiguration can lead to a lack of visibility into potentially malicious activities, such as disabling or modifying CloudTrail to conceal unauthorized actions, ultimately undermining auditability and security monitoring.
Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""cis_cloudtrail_config_change_metric_filter"{name="CIS-CloudTrailChanges"pattern="{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-CloudTrailChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_cloudtrail_config_change_cw_alarm"{alarm_name="CIS-3.5-CloudTrailChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
Non-Compliant Code Examples
resource"aws_cloudwatch_log_metric_filter""cis_cloudtrail_config_change_metric_filter"{name="CIS-CloudTrailChanges"pattern="{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-CloudTrailChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_cloudtrail_config_change_cw_alarm"{alarm_name="CIS-3.5-CloudTrailChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name="XXXX NOT YOUR FILTER XXXX"namespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""cis_unauthorized_api_calls_metric_filter"{name="CIS-UnauthorizedAPICalls"pattern="{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-UnauthorizedAPICalls"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_unauthorized_api_calls_cw_alarm"{alarm_name="CIS-3.1-UnauthorizedAPICalls"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity."alarm_actions=[aws_sns_topic.cis_alerts_sns_topic.arn]insufficient_data_actions=[]}
resource"aws_cloudwatch_log_metric_filter""cis_cloudtrail_config_change_metric_filter"{name="CIS-CloudTrailChanges"pattern="{ ($.eventName = CreateTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"log_group_name=aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.namemetric_transformation{name="CIS-CloudTrailChanges"namespace="CIS_Metric_Alarm_Namespace"value="1"}}resource"aws_cloudwatch_metric_alarm""cis_cloudtrail_config_change_cw_alarm"{alarm_name="CIS-3.5-CloudTrailChanges"comparison_operator="GreaterThanOrEqualToThreshold"evaluation_periods="1"metric_name=aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.idnamespace="CIS_Metric_Alarm_Namespace"period="300"statistic="Sum"threshold="1"alarm_description="Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account."alarm_actions=[aws_sns_topic.CIS_Alerts_SNS_Topic.arn]insufficient_data_actions=[]}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
