CloudWatch log metric filter and alarm should be set for S3 bucket policy changes

Description

A CloudWatch metric filter and alarm should be established for changes to S3 bucket policies. Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.

Console Remediation Steps

This is a two part process. First, you create the Metric Filter. Next, you create a CloudWatch alarm. See Creating CloudWatch Alarms for CloudTrail Events: Examples for more information.

  • Step 1: To create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation, click Log Groups and select the desired log group.

    • Select Metric filters > Create Metric Filter.

    • In Filter pattern, enter the following: { ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }

    • Click Next.

    • For Filter name, type S3BucketActivity.

    • For Metric namespace, type CloudTrailMetrics.

    • For Metric name, type S3BucketActivityEventCount.

    • For Metric value, type 1.

    • Click Next > Create metric filter.

  • Step 2: To create an Alarm:

    • Check the newly created metric filter and click Create alarm.

    • Select the Threshold type.

    • Define the alarm condition and threshold value.

    • Click Next.

    • In Alarm state trigger, select In alarm.

    • Select an existing SNS topic, create new topic, or use topic ARN.

      • If you selected to create a new topic, enter a name in Create a new topic.

      • Enter an email address in Email endpoints that will receive the notification.

      • Click Create topic.

    • Click Next.

    • Enter an Alarm name.

    • Optionally, enter an alarm description.

    • Click Next > Create alarm.

CLI Remediation Steps

  • Create the metric filter for S3 Bucket Changes:

    • aws logs put-metric-filter --log-group-name <name> --filter-name <name> --filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }' --metric-transformations metricName=<metric name>,metricNamespace=<metric namespace>, metricValue=1,defaultValue=0

  • Create the alarm:

    • aws cloudwatch put-metric-alarm --alarm-name <name> --metric-name <name> --namespace <namespace> --statistic <value> --evaluation-periods <value> --period <value> --threshold <value> --comparison-operator <value> --alarm-actions <arn of topic>