Rule: Ensure a log metric filter and alarm exist for unauthorized API calls

Rule Description:

Troubleshooting Steps:

2. 1.
   Verify IAM Role Permissions: Ensure that the IAM role associated with the log metric filter and alarm has the necessary permissions to access CloudWatch Logs and create/update metrics and alarms.
4. 2.
   Check Log Group Subscription: Ensure that the log group containing API logs is properly subscribed to CloudWatch Logs. If not, create a subscription filter to forward the relevant logs to CloudWatch.
6. 3.
   Validate Log Metric Filter: Review the log metric filter configuration to ensure it is accurately filtering and extracting the necessary information from the API logs. Check the filter pattern and field mappings.
8. 4.
   Test Alarm Thresholds: Confirm that the alarm thresholds are set appropriately to trigger an alert when unauthorized API calls are detected. Adjust the thresholds if necessary.
10. 5.
    Verify Alarm Actions: Check the configured actions for the alarm, such as sending a notification, triggering an AWS Lambda function, or invoking an SNS topic. Ensure that these actions are properly configured and functional.
12. 6.
    Monitor for Log Ingestion: If there are no logs being ingested in the log group, investigate the issue with API logging configuration. Ensure that the appropriate logs are being generated by the APIs.

Necessary Code:

Resources:
  LogMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName: /aws/apigateway/{your-log-group-name}
      FilterPattern: '{your-filter-pattern}'
      MetricTransformations:
        - MetricName: UnauthorizedApiCalls
          MetricNamespace: NIST/CSF
          MetricValue: '1'
  UnauthorizedApiCallsAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: UnauthorizedApiCallsAlarm
      AlarmDescription: Unauthorized API Calls Alarm
      MetricName: UnauthorizedApiCalls
      Namespace: NIST/CSF
      Statistic: SampleCount
      Period: 300
      EvaluationPeriods: 1
      Threshold: 1
      ComparisonOperator: GreaterThanOrEqualToThreshold
      AlarmActions:
        - arn:aws:sns:us-east-1:1234567890:your-sns-topic
      AlarmDescription: Unauthorized API Calls Alarm
      Dimensions:
        - Name: LogGroupName
          Value: /aws/apigateway/{your-log-group-name}

{your-log-group-name}

{your-filter-pattern}

arn:aws:sns:us-east-1:1234567890:your-sns-topic

Remediation Steps:

2. 1.
   Navigate to the AWS Management Console and open the CloudFormation service.
4. 2.
   Create a new CloudFormation stack or select an existing one where you want to add the log metric filter and alarm.
6. 3.
   Copy and paste the necessary code provided above into the CloudFormation template section.
8. 4.
   Modify the code to specify the correct log group name, filter pattern, and alarm actions.
10. 5.
    Click on "Next" and proceed through the CloudFormation steps, providing any required parameters.
12. 6.
    Review the stack details and click on "Create" to initiate the creation/update of the CloudFormation stack.
14. 7.
    Wait for the stack creation/update to complete, ensuring there are no errors during the process.
16. 8.
    Once the stack is created/updated successfully, the log metric filter and alarm for unauthorized API calls will be in place.
18. 9.
    Verify the alarm is properly functioning by intentionally triggering unauthorized API calls and confirming the alarm triggers and sends the defined notification.