A metric filter and alarm should exist for unauthorized API calls

Description

Real-time monitoring of API calls can be achieved by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Datadog recommends establishing a metric filter and an alarm for unauthorized API calls.

Rationale

Monitoring unauthorized API calls helps reveal application errors and may reduce time to detect malicious activity.

Impact

This alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don’t have permissions.

If an excessive number of alerts are being generated, then an organization may consider adding read access to the limited IAM user permissions to quiet the alerts.

In some cases, doing this may allow the users to actually view some areas of the system — any additional access given should be reviewed for alignment with the original limited IAM user intent.

Remediation

Perform the following to set up the metric filter, alarm, SNS topic, and subscription:

From the command line

  1. Retrieve the CloudTrail log group name.

    aws cloudtrail describe-trails
    
  2. Create a metric filter based on the filter pattern provided, which checks for IAM policy changes and the <cloudtrail_log_group_name>.

    aws logs put-metric-filter --log-group-name "cloudtrail_log_group_name" --filter-name "<unauthorized_api_calls_metric>" --metric-transformations metricName=unauthorized_api_calls_metric,metricNamespace=CISBenchmark,metricValue=1 --filter-pattern "{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") || ($.sourceIPAddress!="delivery.logs.amazonaws.com") ||
    ($.eventName!="HeadBucket") }"
    
    • Ensure CloudTrail is set to multi-region and isLogging is set True.
    • Ensure there is at least one Event Selector with IncludeManagementEvents set to True and ReadWriteType set to All.

    Note: You can choose your own metricName and metricNamespace strings. Use the same metricNamespace for all Foundations Benchmark metrics to group them together.

  3. Create an SNS topic that the alarm notifies.

    aws sns create-topic --name <sns_topic_name>
    

    Note: You can execute this command once and then reuse the same topic for all monitoring alarms. Capture the topic ARN displayed when creating the SNS topic in step 2.

  4. Create an SNS subscription to the topic created in step 2.

    aws sns subscribe --topic-arn <sns_topic_arn from step 2> --protocol<protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
    

Note: You can execute this command once and then reuse the SNS subscription for all monitoring alarms.

  1. Create an alarm that is associated with the CloudWatch Logs metric filter created in step 1 and an SNS topic created in step 2.
    aws cloudwatch put-metric-alarm --alarm-name "unauthorized_api_calls_alarm"--metric-name "unauthorized_api_calls_metric" --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions<sns_topic_arn>
    

Additional information

Configuring a log metric filter and alarm on multi-region (global) CloudTrail ensures the following:

  • Activities from all regions (used as well as unused) are monitored.
  • Activities on all supported global services are monitored.
  • All management events across all regions are monitored.

References

  1. https://aws.amazon.com/sns/
  2. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html
  3. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html
  4. https://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html