Ensure a Log Metric Filter and Alarm Exist for Unauthorized API Calls
This rule ensures the presence of log metric filters and alarms for preventing unauthorized API calls.
| Rule | Ensure a log metric filter and alarm exist for unauthorized API calls |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm are in place to detect and alert any unauthorized API calls in compliance with the NIST Cybersecurity Framework (CSF) version 1.
Troubleshooting Steps:
- 1.Verify CloudTrail is enabled and configured properly.
- 2.Validate IAM policies to ensure appropriate permissions are granted.
- 3.Review and update the log metric filter if necessary.
- 4.Verify the alarm is correctly configured to trigger based on the log metric filter.
Necessary Codes:
No necessary codes for this rule.
Step-by-Step Guide for Remediation:
Step 1: Enable and Configure CloudTrail
- 1.Open the AWS Management Console.
- 2.Navigate to the CloudTrail service.
- 3.Click on "Trails" in the left navigation pane.
- 4.Create a trail if not already done.
- 5.Ensure the trail is configured to capture API calls.
- 6.Verify that the trail is active and logging data.
Step 2: Validate IAM Policies
- 1.Open the AWS Management Console.
- 2.Navigate to the IAM service.
- 3.Review the IAM policies associated with the relevant IAM users or roles.
- 4.Ensure that the policies include appropriate permissions for API calls.
- 5.Make adjustments to the policies as needed to restrict unauthorized access.
Step 3: Log Metric Filter
- 1.Open the AWS Management Console.
- 2.Navigate to the CloudWatch service.
- 3.Click on "Logs" in the left navigation pane.
- 4.Select the relevant log group that contains CloudTrail logs.
- 5.Click on "Create Metric Filter".
- 6.Define the filter pattern to capture unauthorized API calls (e.g., "errorCode:UnauthorizedOperation").
- 7.Provide a name and metric value for the filter.
- 8.Enable "Summarize by" if necessary for aggregation purposes.
- 9.Click on "Create Filter".
Step 4: Alarm Configuration
- 1.Open the AWS Management Console.
- 2.Navigate to the CloudWatch service.
- 3.Click on "Alarms" in the left navigation pane.
- 4.Click on "Create Alarm".
- 5.Under "Select metric", choose the metric created in the previous step.
- 6.Configure the alarm threshold based on your requirements (e.g., set the threshold to >= 1 for unauthorized API calls).
- 7.Specify actions to be taken when the alarm state is triggered (e.g., sending notifications via SNS).
- 8.Provide a name and description for the alarm.
- 9.Click on "Create Alarm".
Additional Notes:
- It is recommended to regularly review and update the log metric filter and alarm configuration to align with any changes in your environment.
- Ensure that the designated personnel or team receives and promptly responds to alert notifications triggered by the alarm.
- Periodically test the effectiveness of the rule by intentionally triggering unauthorized API calls and verifying if the filter and alarm accurately detect and alert such incidents.