Ensure a Log Metric Filter and Alarm Exists for AWS Organizations Changes Rule

This rule requires the presence of a log metric filter and alarm for monitoring AWS Organizations changes.

Rule	Ensure a log metric filter and alarm exists for AWS Organizations changes
Framework	cis_v150
Severity	✔ Low

Rule Description:

This rule ensures that a log metric filter and an alarm exist for AWS Organizations changes in your AWS environment. This is in compliance with the CIS AWS Foundations Benchmark version 1.5.0 (cis_v150), which helps maintain the security and compliance of your AWS resources.

Troubleshooting Steps:

If you encounter any issues with the log metric filter and alarm for AWS Organizations changes, follow these troubleshooting steps:

1.

Verify IAM permissions: Ensure that the user or role executing the steps below has the necessary permissions to create and manage log metric filters and alarms.

2.

Check CloudTrail configuration: Make sure that CloudTrail is enabled in the AWS region where your resources are located. Additionally, verify the CloudTrail configuration to ensure it captures AWS Organizations changes adequately.

3.

Review log metric filter pattern: Double-check the log metric filter pattern to ensure it correctly filters for AWS Organizations changes. Ensure that the filter matches the desired log events and excludes any irrelevant events.

4.

Review alarm threshold: Verify the alarm threshold settings to ensure they are appropriately defined. Check if the condition for triggering the alarm is set correctly based on your security and compliance requirements.

5.

Validate alarm actions: Ensure the configured alarm actions are appropriate and will notify the relevant stakeholders promptly in case of triggered alarms.

Necessary Code:

No code is necessary for this rule. However, you will need to make use of the AWS Management Console and the AWS Command Line Interface (CLI) to implement the required log metric filter and alarm.

Step-by-Step Guide:

Follow these steps to ensure the log metric filter and alarm exist for AWS Organizations changes:

1. Access AWS CloudTrail:

Log into the AWS Management Console.
Navigate to the CloudTrail service.

2. Verify CloudTrail Configuration:

Ensure that CloudTrail is enabled in the desired AWS region.
Review the CloudTrail configuration to confirm that it captures AWS Organizations changes. Adjust the configuration if necessary.

3. Create a Log Metric Filter:

Go to the CloudWatch service in the AWS Management Console.
Choose "Log groups" from the left navigation pane and select the desired log group that contains the CloudTrail logs.
Click on "Create metric filter."
Define a filter pattern that specifically captures AWS Organizations changes. For example, the filter pattern may include keywords such as "CreateOrganizationalUnit", "InviteAccountToOrganization", and "MoveAccount".

4. Configure the Log Metric Filter:

Specify the name for the log metric filter.
Define the metric namespace, such as "CIS/OrganizationsChanges".
Set the metric value to "1" for every matched log event.
Choose the appropriate IAM role with permission to write metrics, or create a new role.

5. Create an Alarm:

After creating the log metric filter, you will be redirected to the CloudWatch Alarms page.
Click on "Create alarm" to begin configuring the alarm settings.
Select the specific log metric filter you created in the previous steps.
Specify the threshold that determines when the alarm will be triggered. For example, you may set a threshold of "1" where one or more AWS Organizations changes will trigger the alarm.
Configure the appropriate actions to be taken when the alarm is triggered. This can include sending notifications via Amazon Simple Notification Service (SNS), executing AWS Lambda functions, or other custom actions.

6. Review and Finalize:

Double-check all the configurations and settings for the log metric filter and alarm.
If everything looks correct, save the configurations, and the log metric filter and alarm will be created.

Following these steps will ensure that you have a log metric filter and alarm in place to capture and respond to AWS Organizations changes according to the requirements of the CIS AWS Foundations Benchmark version 1.5.0 (cis_v150).

Ensure a Log Metric Filter and Alarm Exists for AWS Organizations Changes Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}1. Access AWS CloudTrail:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}2. Verify CloudTrail Configuration:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}3. Create a Log Metric Filter:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}4. Configure the Log Metric Filter:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}5. Create an Alarm:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}6. Review and Finalize:

Is your System Free of Underlying Vulnerabilities? Find Out Now