CloudWatch log metric filter and alarm should be set for S3 bucket policy changes

Description

A CloudWatch metric filter and alarm should be established for changes to S3 bucket policies. Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.

Console Remediation Steps

  • Navigate to Cloudwatch.

  • In the navigation pane, choose Logs.

  • In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  • Choose Create Metric Filter.

  • On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following: { ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }

  • For Metric Namespace, type CloudTrailMetrics.

  • For Metric Name, type S3BucketActivityEventCount.

  • Choose Show advanced metric settings.

  • For Metric Value, type 1.

  • Choose Create Filter.

  • Create an Alarm.

  • After you create the metric filter, follow this procedure to create an alarm.

  • On the Filters for Log_Group_Name page, next to the CloudTrailMetrics filter name, choose Create Alarm.

  • On the Create Alarm page, provide the following values. Name: S3 Bucket Activity, is >= 1, for: 1 consecutive period, Period: 5 minutes, Statistic: sum, Send notificiation to: NotifyMe, Email list: email list

CLI Remediation Steps

  • Create the metric filter for S3 Bucket Changes:

    • aws logs put-metric-filter --log-group-name <name> --filter-name <name> --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' --metric-transformations metricName=<metric name>,metricNamespace=<metric namespace>, metricValue=1,defaultValue=0

  • Create the alarm:

    • aws cloudwatch put-metric-alarm --alarm-name <name> --metric-name <name> --namespace <namespace> --statistic <value> --evaluation-periods <value> --period <value> --threshold <value> --comparison-operator <value> --alarm-actions <arn of topic>