CloudWatch log metric filter and alarm for IAM policy changes should be configured

Description

A CloudWatch metric filter and alarm should be established for changes made to Identity and Access Management (IAM) policies. Monitoring changes to IAM policies helps ensure authentication and authorization controls remain intact.

Console Remediation Steps

  • This is a two part process. First, you create the Metric Filter.

    • Navigate to CloudWatch.

    • In the left navigation pane, select Logs.

    • Select the log group you created for the CloudTrail Log events.

    • Click Create Metric Filter.

    • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}

    • Choose Assign Metric.

    • For Filter Name, type IAMPolicyChanges.

    • For Metric Namespace, type CloudTrailMetrics.

    • For Metric Name, type IAMPolicyChangesEventCount.

    • Choose Show advanced metric settings.

    • For Metric Value, type 1.

    • Choose Create Filter.

  • Create an Alarm. After you create the metric filter, follow the steps below to create an alarm.

    • On the Filters for Log_Group_Name page, click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • In Name, enter IAM Policy Changes.

      • In Whenever is >= 1. For 1 consecutive period.

      • From the period drop-down, select 5 minutes.

      • From the Statistic drop-down, select Sum.

      • In the Actions section, in the Send notification to, select New List > enter a unique name for it, In Email List, type the email address to which you want notifications sent.

    • Click Create Alarm.

CLI Remediation Steps