Plugin Title | CloudWatch Monitoring Metrics |
Cloud | AWS |
Category | CloudWatchLogs |
Description | Ensures metric filters are setup for CloudWatch logs to detect security risks from CloudTrail. |
More Info | Sending CloudTrail logs to CloudWatch is only useful if metrics are setup to detect risky activity from those logs. There are numerous metrics that should be used. For the exact filter patterns, please see this plugin on GitHub: https://github.com/cloudsploit/scans/blob/master/plugins/aws/cloudwatchlogs/monitoringMetrics.js |
AWS Link | http://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html |
Recommended Action | Enable metric filters to detect malicious activity in CloudTrail logs sent to CloudWatch. |
- Log into the AWS Management Console.
- Select the "Services" option and search for CloudWatch.
- Scroll down the left navigation panel and choose "Alarms".
- On the "Alarms" page click on the "Settings" button below "Create alarm" button to open the CloudWatch dashboard.
- In the "Preference" tab scroll down the page and select the "Metric Name" toggle button and click on the "Confirm" button to save the changes.
- On the "Alarms" page check under "Metric Name" check any available alarm for the “CloudTrailEventCount” and if there is no such then the CloudTrail security threats are not monitored usinf CloudWatch.
- Repeat step nu,ber 2 - 6 to verify "CloudWatch Monitoring Metrics" for other regions.
- Select the "Services" option and search for "SNS" for creating a simple notification service to send notifications when "CloudWatch alarm" is triggered.
- On the "Amazon SNS" page scroll down the left navigation panel and choose "Topics" and click on the "Create topic" button at the extreme right.
- In the "Create topic" page enter the "Name" and "Display name" for the topic and click on the "Create topic" button at the bottom.
- Access the newly created topic by clicking on the "Name" of the topic.
- Select the "Subscription" tab from the bottom dashboard and click on the "Create Subscription" button.
- Select the "Email" as "Protocol" from the dropdown menu and enter the email address that can receive notifications from "Amazon SNS" and click on the "Create subscription" button.
- Confirm the "Subscription" by clicking on the link on your email id for the "Amazon SNS" topic.
- Navigate to "CloudWatch" dashboard and select "Logs" from the left navigation panel.
- On the "Log Groups" page select the log group created for the CloudTrail trail event logs and click Create Metric Filter button at the top.
- On the "Filter Patter" specify the terms or patterns to match log events to create metrics and click on the "Assign Metric" button at the bottom.
- On the "Create Metric Filter and Assign a Metric" page enter a name for the filter name and enter a name for "Metric Namespace" and "Metric Name" and click on the "Create Filter" button.
- Click on the "Create Alarm" button on the same page.
- On the "Specify metric and conditions" tab define the "Conditions" for threshold value and enter the threshold value and click on the "Next" button.
- On the "Configure actions" tab select the "Notification" ans "SNS Topic" by clicking on the "Select an existing SNS topic" and click on the "Next" button.
- On the "Add a description" tab enter the "Alarm name" and "Alarm description" and click on the "Next" button.
- On the "Preview and create" page review the settings and click on the "Create alarm" button at the bottom.
- Repeat steps number 8 - 23 to enable metric filters to detect malicious activity in CloudTrail logs sent to CloudWatch.