Ensure a Log Metric Filter and Alarm Exist for Unauthorized API Calls Rule
This rule ensures the presence of a log metric filter and alarm for unauthorized API calls.
| Rule | Ensure a log metric filter and alarm exist for unauthorized API calls |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule/Policy: Unauthorized API Calls Log Metric Filter and Alarm
Description:
This rule ensures that a log metric filter and alarm are set up to monitor unauthorized API calls within the AWS environment following the CIS benchmark for version 1.5.0.
Troubleshooting Steps:
If the log metric filter and alarm are not present or not functioning as expected, follow these troubleshooting steps:
- 1.
Verify the log group:
- Check if the log group specified in the rule is correct.
- Ensure that the log group is not filtered or excluded from the metric filter.
- 2.
Verify the metric filter:
- Check the metric filter and ensure it is capturing unauthorized API calls.
- Verify that the filter pattern accurately matches unauthorized API call logs.
- 3.
Verify the alarm:
- Check if the alarm has been created and associated with the metric filter.
- Confirm that the alarm threshold and actions are correctly configured.
- Ensure that the alarm is triggered when unauthorized API calls occur.
Necessary Codes:
There are no specific codes required for this rule. However, the following AWS CloudFormation template code snippets can be helpful if you want to automate this rule:
- 1.Create a log metric filter:
MyLogMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: "your-log-group-name"
FilterPattern: "{($.errorCode = 'UnauthorizedOperation') || ($.errorMessage = 'User is not authorized to perform')}"
MetricTransformations:
- MetricName: "UnauthorizedAPICalls"
MetricNamespace: "CIS/UnauthorizedAPICalls"
MetricValue: "1"
- 1.Trigger an alarm for the log metric filter:
MyMetricAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: "UnauthorizedAPIAlarm"
AlarmDescription: "Alarm triggered for unauthorized API calls"
Namespace: "CIS/UnauthorizedAPICalls"
MetricName: "UnauthorizedAPICalls"
Dimensions:
- Name: LogGroupName
Value: "your-log-group-name"
ComparisonOperator: GreaterThanThreshold
Statistic: SampleCount
Threshold: 1
EvaluationPeriods: 1
Period: 300
AlarmActions:
- !Ref YourNotificationTopic
Please update the
your-log-group-nameYourNotificationTopicStep-by-Step Guide for Remediation:
- 1.
Login to the AWS Management Console.
- 2.
Navigate to the CloudWatch service.
- 3.
On the left-hand menu, click on "Logs" and select the appropriate log group.
- 4.
Click on the "Create Metric Filter" button.
- 5.
In the "Create Metric Filter" wizard, specify a Filter Pattern that matches unauthorized API call logs. For example:
{($.errorCode = 'UnauthorizedOperation') || ($.errorMessage = 'User is not authorized to perform')}
- 1.
Define a metric transformation that assigns a value of 1 for each unauthorized API call. Assign a meaningful Metric Name and Namespace such as "UnauthorizedAPICalls". Click on "Assign Metric" to save the metric filter.
- 2.
Navigate to the CloudWatch service.
- 3.
On the left-hand menu, click on "Alarms" and then click on the "Create Alarm" button.
- 4.
In the "Create Alarm" wizard, select the newly created metric filter from the dropdown list under "Select metric".
- 5.
Configure the alarm threshold and actions according to your requirements. For example, set the threshold to "Greater than 1" to trigger an alarm when unauthorized API calls occur.
- 6.
Click "Create Alarm" to save the configuration.
Once these steps are completed, the log metric filter and alarm for unauthorized API calls will be in place, and you will receive notifications whenever unauthorized API calls are detected in your AWS environment.