CloudWatch log metric filter and alarm for AWS Organizations changes should be configured for the master account

Description

Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.

Console Remediation Steps

  • Create the Metric Filter:

    • Navigate to CloudWatch.

    • In the left navigation, click Logs.

    • Select the log group that you created for CloudTrail log events.

    • Choose Actions > Create Metric Filter.

    • On the Define Pattern screen, enter the following: { ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") || ($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }

    • Select Next.

    • Enter a filter name.

    • Enter a metric namespace.

    • Enter a metric name.

    • For Metric Value, type 1.

    • Select Next.

    • Select Create Metric Filter.

  • Create an Alarm:

    • On the Metric Filters tab of the same log group, check the box for the filter you just created and click Create Alarm.

    • On the Create Alarm page, provide the following values:

      • Under Statistic, select Sum.

      • Under Period, select 5 minutes.

      • Under Threshold type, select Static.

      • Under “Whenever <filter name> is…” select Greater/Equal.

      • Under “than…” enter 1.

      • Set Datapoints to alarm to 1 out of 1.

    • Select Next.

    • On the Configure Actions page, provide the following values:

      • Under Alarm state trigger, select In alarm.

      • Under Select an SNS topic, click Select an existing SNS topic.

      • Under Send a notification to… select the desired topic.

    • Select next.

    • Enter an alarm name and description.

    • Click Create Alarm.

CLI Remediation Steps

  • To enable CloudWatch log metric filter and alarm for AWS Organizations changes for the master account:

  • Create a metric filter:

aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<organizations_changes>` --metric-transformations metricName= `<organizations_changes>`,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") || ($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }'
  • Create an SNS topic that the alarm will notify:

aws sns create-topic --name <sns_topic_name>
  • Create an SNS subscription to the topic created in step 2:

aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>
  • Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2:

aws cloudwatch put-metric-alarm --alarm-name `<organizations_changes>` --metric-name `<organizations_changes>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>