Ensure a Log Metric Filter and Alarm Exist for Unauthorized API Calls Rule

Rule Description:

Troubleshooting Steps:

2. 1.

   Check if CloudTrail is enabled: Ensure that CloudTrail, the AWS service responsible for logging API activity, is enabled for your account. If not, enable it by following the AWS documentation for CloudTrail setup.

4. 2.

   Verify log metric filter existence: In the CloudWatch console, navigate to the "Log groups" section and locate the CloudTrail log group for your AWS account. Check if a log metric filter with the following configuration exists:

   Filter pattern: {($.errorCode = "UnauthorizedOperation") || ($.errorCode = "AccessDenied")}

   If the filter is missing, proceed to the next step.

6. 3.

   Create a log metric filter: In the CloudWatch console, select your CloudTrail log group and click on "Create metric filter." Configure the filter using the following information:

   Filter pattern: {($.errorCode = "UnauthorizedOperation") || ($.errorCode = "AccessDenied")}

   Assign a metric namespace and name for the filter.

   Choose a metric value (e.g., "1") to denote unauthorized calls.

   Check if the log metric filter is now created successfully.

8. 4.

   Verify alarm existence: In the CloudWatch console, navigate to the "Alarms" section and check if an alarm with the following criteria exists:

   Alarm state: ALARM Alarm name: Unauthorized_API_Calls

   If the alarm is missing, proceed to the next step.

10. 5.

    Create an alarm: In the CloudWatch console, select "Create alarm" and configure the alarm with the following information:

    Alarm name: Unauthorized_API_Calls

    Select the metric filter you created earlier as the source for the alarm.

    Set the threshold to "Greater/Equal" and specify the value (e.g., "1") to denote unauthorized calls.

    Choose the action to be taken when the alarm state is triggered (e.g., sending a notification email).

    Ensure the alarm is created successfully.

Necessary Code:

Step-by-Step Guide for Remediation:

2. 1.

   Go to the AWS Management Console and log in to your AWS account.

4. 2.

   Ensure that CloudTrail is enabled. If not, follow the AWS documentation to enable CloudTrail for your AWS account.

6. 3.

   Open the CloudWatch console and navigate to the "Log groups" section.

8. 4.

   Locate the CloudTrail log group associated with your AWS account.

10. 5.

    Verify if a log metric filter with the provided filter pattern exists. If not, follow the steps below to create one:

    • Select the CloudTrail log group.
    • Click on the "Create metric filter" button.
    • Configure the filter with the provided filter pattern.
    • Assign a metric namespace and name for the filter.
    • Choose a metric value to denote unauthorized calls (e.g., "1").
    • Confirm and create the log metric filter.
12. 6.

    Once the log metric filter is created, go to the "Alarms" section in the CloudWatch console.

14. 7.

    Check if an alarm with the name "Unauthorized_API_Calls" exists. If not, follow the steps below to create one:

    • Click on the "Create alarm" button.
    • Configure the alarm with the provided criteria, using the log metric filter as the source.
    • Set the threshold to "Greater/Equal" and specify the metric value for unauthorized calls.
    • Select an action to be taken when the alarm state is triggered (e.g., sending a notification email).
    • Confirm and create the alarm.
16. 8.

    Ensure that the alarm is now successfully created and will trigger whenever unauthorized API calls occur.