Rule: CloudWatch Alarm Action Should Be Enabled
Ensure that CloudWatch alarm action is enabled for high incident response compliance.
| Rule | CloudWatch alarm action should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
CloudWatch Alarm Action for FedRAMP Moderate Revision 4 Compliance
Amazon CloudWatch Alarms are a critical component for monitoring AWS environments and responding to changes in the performance of services. For organizations operating under the compliance requirements of FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4, it's essential to configure these alarms properly to maintain security and operational integrity. When configured correctly, these alarms can help organizations quickly respond to potential security incidents or performance issues.
Detailed Description of the Rule
Under FedRAMP Moderate Revision 4, organizations are required to set up CloudWatch alarms that trigger actions for specific events that may jeopardize the security or performance of the environment. This includes setting thresholds for abnormal activity and ensuring that notifications or remediations are triggered when those thresholds are met or exceeded.
This rule in particular mandates that:
- 1.CloudWatch alarms must be configured to monitor security-relevant metrics (such as unauthorized API calls, console sign-in failures, or disabling of logging features).
- 2.Alarms must trigger automatic notifications or actions, such as notifying an administrator or invoking AWS Lambda functions, to respond to the events.
- 3.Alarm actions should be configured to be enabled at all times to ensure continuous monitoring.
Troubleshooting Steps
If you have a CloudWatch alarm that isn't behaving as expected or isn't compliant with FedRAMP guidelines, follow these steps:
- 1.Verify alarm permissions: Ensure that the IAM role associated with the alarm has the necessary permissions to execute the assigned actions.
- 2.Check the alarm's threshold: Ensure that the metric threshold settings align with the security standards required for FedRAMP.
- 3.Test the notification: Confirm that the Simple Notification Service (SNS) topic or other notification channels are correctly configured and responsive.
- 4.Review alarm actions: Ensure that actions are properly linked to the alarm and that they function as intended when the alarm is triggered.
Necessary Codes and CLI Commands
Here's a step-by-step guide to create a CloudWatch alarm with a notification action using AWS CLI:
Step 1: Set Up an SNS Topic for Notifications
# Create an SNS topic aws sns create-topic --name fedramp-alerts
Step 2: Subscribe to the SNS Topic
# Subscribe to the SNS topic (replace with your email) aws sns subscribe --topic-arn arn:aws:sns:region:account-id:fedramp-alerts --protocol email --notification-endpoint your-email@example.com
Step 3: Create a CloudWatch Alarm
# Create a CloudWatch alarm aws cloudwatch put-metric-alarm --alarm-name "fedramp-high-cpu-utilization" --metric-name CPUUtilization --namespace AWS/EC2 --statistic Average --period 300 --threshold 80 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 2 --alarm-actions arn:aws:sns:region:account-id:fedramp-alerts --dimensions Name=InstanceId,Value=i-instanceid
Step 4: Verify Alarm Configuration
# Describe alarm to verify configuration aws cloudwatch describe-alarms --alarm-names "fedramp-high-cpu-utilization"
Step 5: Test the Alarm
Testing your alarm ensures that the necessary actions are triggered as expected. This can be done by generating the condition that the alarm is supposed to monitor (like increasing the CPU utilization if that is the metric being watched).
Step 6: Remediate Non-Compliant Alarms
For alarms that are not compliant with FedRAMP requirements, adjust the thresholds, permissions, and actions according to the above steps.
By following these steps and ensuring continuous monitoring of your alarm configurations, you can maintain a high level of compliance with FedRAMP Moderate Revision 4 standards.