Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter for unauthorized API calls

This rule ensures the presence of a log metric filter for unauthorized API calls.

RuleEnsure a log metric filter and alarm exist for unauthorized API calls
Frameworkcis_v130
Severity
Low

Rule Description:

To maintain the security of the system and prevent unauthorized access, it is important to have a log metric filter and alarm in place for unauthorized API calls. This rule is specific to CIS benchmark version 1.3.0 (cis_v130).

Troubleshooting Steps:

  1. 1.
    Verify if the AWS CloudTrail service is enabled in the AWS Management Console.
  2. 2.
    Ensure that the CloudTrail trail is properly configured to capture API events.
  3. 3.
    Check if log files are being stored in an S3 bucket designated for CloudTrail logs.
  4. 4.
    Confirm that the required IAM roles and permissions are properly configured for CloudTrail.
  5. 5.
    Validate if the appropriate CloudWatch Log Groups are created for CloudTrail logs.
  6. 6.
    Ensure that the AWS Config service is enabled to capture CloudTrail events.
  7. 7.
    Verify if the IAM user/role executing the actions has the necessary permissions to create and configure the log metric filter and alarm.

Necessary Codes:

No necessary codes provided for this rule.

Remediation Steps:

Creating Log Metric Filter:

  1. 1.
    Open the CloudWatch service in the AWS Management Console.
  2. 2.
    Navigate to "Log Groups" on the left sidebar.
  3. 3.
    Select the appropriate CloudTrail log group.
  4. 4.
    Click on the "Create metric filter" button.
  5. 5.
    In the "Filter Pattern" section, enter the following filter pattern:
[{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }]
  1. 1.
    Choose the "Assign a Metric Namespace to this filter" option and provide a suitable namespace.
  2. 2.
    Under "Metric Value", assign a value that represents unauthorized API calls.
  3. 3.
    Click on the "Test Pattern" button to verify if the filter matches the expected log events.
  4. 4.
    Once validated, click on the "Create Filter" button.

Creating Alarm:

  1. 1.
    After creating the log metric filter, stay on the CloudWatch service console.
  2. 2.
    Select "Alarms" from the left sidebar.
  3. 3.
    Click on the "Create Alarm" button.
  4. 4.
    In the "Select Metric" section, choose the created metric filter from the drop-down list.
  5. 5.
    Configure the desired threshold and conditions for triggering the alarm based on unauthorized API calls.
  6. 6.
    Provide appropriate actions to be taken when the alarm is triggered (e.g., sending a notification, invoking an AWS Lambda function).
  7. 7.
    Add a meaningful name and description to the alarm.
  8. 8.
    Click on the "Create Alarm" button to finalize the process.

Note:

Ensure that the alarm has appropriate actions such as notifications or automated remediation steps to be taken when triggered. Additionally, it is recommended to periodically review the effectiveness of the log metric filter and alarm and make necessary adjustments to improve accuracy.

Is your System Free of Underlying Vulnerabilities?
Find Out Now