Rule: Ensure a log metric filter and alarm for AWS Organizations changes

Rule Description:

Troubleshooting Steps:

2. 1.

   Validate AWS Organizations Setup:

   • Verify that AWS Organizations is enabled for the AWS account.
   • Ensure that adequate permissions are assigned to the account used for monitoring.
4. 2.

   Check CloudTrail Configuration:

   • Confirm that AWS CloudTrail is enabled and properly configured to capture management events related to AWS Organizations.
   • Validate that the CloudTrail trail is created in the appropriate region.
6. 3.

   Verify Log Metric Filter Creation:

   • Ensure that a log metric filter is created to capture AWS Organizations change events.
   • Check if the metric filter pattern is correctly configured to capture relevant log events.
8. 4.

   Validate Alarm Configuration:

   • Confirm that a CloudWatch alarm is created and associated with the log metric filter for AWS Organizations changes.
   • Verify that the alarm is properly configured to trigger when defined threshold conditions are met.
10. 5.

    Check Notification Actions:

    • Ensure that appropriate notification actions are configured to alert the relevant stakeholders or teams.
    • Validate the selected notification channels (e.g., email, SNS, etc.) and their subscriptions.

Necessary Code:

2. 1.
   Log Metric Filter:

Type: AWS::Logs::MetricFilter
Properties:
  LogGroupName: !Ref LogGroupName
  FilterPattern: |-
    { ($.eventSource = organizations.amazonaws.com) && (($.eventName = "InviteAccountToOrganization") || ($.eventName = "UpdateOrganizationalUnit") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "AddOrganizationsServiceLinkedRole") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "CreateAccount") || ($.eventName = "MoveAccount") || ($.eventName = "CreateOrganization") || ($.eventName = "UpdateAccount") || ($.eventName = "UpdatePolicy")) }
  MetricTransformations:
    - MetricName: OrganizationsChanges
      MetricValue: 1
      DefaultValue: 1

2. 1.
   CloudWatch Alarm:

Type: AWS::CloudWatch::Alarm
Properties:
  AlarmName: OrganizationsChangesAlarm
  AlarmDescription: Notify on AWS Organizations Changes
  MetricName: OrganizationsChanges
  Namespace: AWS/Logs
  Statistic: SampleCount
  Threshold: 1
  ComparisonOperator: GreaterThanThreshold
  Period: 300
  EvaluationPeriods: 1
  AlarmActions:
    - !Ref AlarmNotificationTopic
  Dimensions:
    - Name: LogGroupName
      Value: !Ref LogGroupName

Remediation Steps:

2. 1.

   Create a Log Metric Filter:

   • Open the CloudWatch console: https://console.aws.amazon.com/cloudwatch/.
   • From the navigation pane, choose "Logs" and select the appropriate log group.
   • Click on the "Create Metric Filter" button.
   • Enter the required filter pattern provided in the rule description.
   • Configure the filter to match the log group containing AWS Organizations logs.
   • Save the changes.
4. 2.

   Create a CloudWatch Alarm:

   • In the CloudWatch console, navigate to "Alarms" from the left-hand side menu.
   • Click on the "Create Alarm" button.
   • Specify the metric name created in the previous step ("OrganizationsChanges").
   • Set the appropriate threshold and conditions as per your requirements.
   • Configure the alarm actions to notify the relevant stakeholders.
   • Save the changes.
6. 3.

   Validate and Test:

   • Perform a test action related to AWS Organizations changes to generate the log events.
   • Verify that the log metric filter captures the events.
   • Check if the CloudWatch alarm triggers based on the defined threshold.
   • Ensure that the notification actions are received correctly.
8. 4.

   Remediation Automation:

   • Consider automating the deployment of log metric filters and alarms using infrastructure-as-code (IaC) approaches such as AWS CloudFormation or AWS CDK.
   • Implement automated testing and validation of the rule during the CI/CD pipeline to avoid configuration drift.