CloudWatch log metric filter and alarm for unauthorized API calls should be configured

Description

It is recommended that users setup a metric filter and alarm for unauthorized API calls. Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.

Console Remediation Steps

  • This is a two part process. First, you create the Metric Filter.

    • Navigate to CloudWatch.

    • In the left navigation, click Logs.

    • Select the log group that you created for CloudTrail log events.

    • Choose Create Metric Filter.

    • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }

    • Choose Assign Metric.

    • For Filter Name, type AuthorizationFailures.

    • For Metric Namespace, type CloudTrailMetrics.

    • For Metric Name, type AuthorizationFailureCount.

    • Choose Show advanced metric settings.

    • For Metric Value, type 1.

    • Choose Create Filter.

  • Create an Alarm. After you create the metric filter, follow the steps below to create an alarm.

    • On the Filters for Log_Group_Name page, click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • In Name, enter Authorization Failures.

      • In Whenever is >= 1. For 1 consecutive period.

      • From the period drop-down, select 5 minutes.

      • From the Statistic drop-down, select Sum.

      • In the Actions section, in the Send notification to, select New List > enter a unique name for it, In Email List, type the email address to which you want notifications sent.

    • Click Create Alarm.

CLI Remediation Steps