Ensure a Log Metric Filter and Alarm Exists for AWS Organizations Changes Rule

Description of the Rule

Troubleshooting

2. 1.

   Check IAM Permissions: Ensure that the IAM role being used by your monitoring solution or the AWS services directly has the necessary permissions to create, modify, and access log metric filters and alarms. You can review the IAM policy associated with the role to verify the required permissions are granted.

4. 2.

   Confirm Log Group configuration: Ensure that the log group used to capture the logs related to AWS Organizations changes exists and is properly configured. You can verify the log group settings, such as the retention period and log stream configuration, to ensure they are suitable for your monitoring needs.

6. 3.

   Verify Filter Pattern: Double-check the filter pattern configured for the log metric filter. The pattern should accurately match the log events generated by AWS Organizations changes. Review the AWS documentation or consult with your monitoring solution to ensure the correct filter pattern is in place.

8. 4.

   Alarm Configuration: Review the alarm configuration associated with the log metric filter. Ensure that the alarm threshold, actions, and notification settings are correctly specified. Make sure that the alarm is configured to trigger actions/alerts when AWS Organizations changes are detected.

10. 5.

    Check CloudWatch Alarm State: Verify if the CloudWatch alarm associated with the log metric filter is in an "OK" state. If the state is "ALARM," check the associated actions and notification settings to ensure they are correctly configured.

Necessary Codes

Step-by-step Remediation Guide

2. 1.

   Navigate to the CloudWatch Console: Open the AWS Management Console and go to the CloudWatch service.

4. 2.

   Create or Select Log Group: If you have not already created a log group to capture AWS Organizations logs, click on "Logs" in the CloudWatch sidebar menu and then click on "Actions." Choose "Create log group" and provide a suitable name and configuration for your log group. If a log group already exists, select it from the log groups list.

6. 3.

   Create Log Metric Filter: In the log group settings, click on "Create metric filter" under the "Actions" menu. Define the filter pattern that matches the log events associated with AWS Organizations changes. Specify the log group, filter name, and other required details as per your requirements.

8. 4.

   Configure Log Metric Filter Alarm: Once the log metric filter is created, click on the "Create alarm" button next to it. Configure the alarm threshold, actions, and notification settings accordingly. Ensure that you set the alarm to trigger when there is a change detected in AWS Organizations as specified by cis_v140 benchmark.

10. 5.

    Save and Test the Configuration: Review the alarm details and click on the "Create alarm" button to save the configuration. Once the alarm is created, test it by making a sample change to your AWS Organizations structure or settings. This will trigger the alarm if the log metric filter is correctly capturing the relevant log events.

12. 6.

    Monitor and Respond to Alarms: Regularly monitor the CloudWatch Alarms section to ensure that the alarm state is maintained correctly. If the alarm triggers, investigate the cause of the change and take appropriate actions to remediate any unauthorized modifications to your AWS Organizations.