AWS Logging and Analysis - Part 6.1 - Configuring CloudWatch Metrics and Alarms

Hi folks!!!

Welcome to AWS Logging and Analysis quest...

In this post, we will be configuring metrics and alarms using the CloudWatch service in AWS. CloudWatch provides us a lot of information to monitor AWS resources in real time. Monitoring can be done based on rules, event patterns, filters based on event names, etc.

We have configured CloudWatch Logs Log Group (CloudTrail/DefaultLogGroup) and discussed about log events in the Part 2 and Part 3 of this quest. Feel free to have a look at them before going through this post.

In this article, we will be creating metric filters for the log group. We will be setting alarms and a notification topic. Whenever the filter matched event is found, the CloudWatch will notify us over mail. While creating filter patterns, we will use OR-ing (||) and AND-ing (&&) operations with different attributes of CloudTrail Log events. We will create around 10 metric filters for critical log events considering the AWS-CIS-Foundation-Benchmarks. In the Monitoring section of this document, following recommendations are provided,

1. Ensure a log metric filter and alarm exist for unauthorized API calls

Filter Pattern: { ($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied") }

2. Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

Filter Pattern: { ($.eventName="ConsoleLogin") && ($.additionalEventData.MFAUsed!="Yes") }

3. Ensure a log metric filter and alarm exist for usage of "root" acount

Filter Pattern: { $.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType!="AwsServiceEvent"}

4. Ensure a log metric filter and alarm exist for IAM policy changes

Filter Pattern:{($.eventName="DeleteGroupPolicy") || ($.eventName="DeleteRolePolicy")||($.eventName="Delete UserPolicy")||($.eventName="PutGroupPolicy")||($.eventName="PutRolePolicy")||($.eventName="PutUserPolicy")||($.eventName="CreatePolicy")||($.eventName="DeletePolicy")||($.eventName="CreatePolicyVersion")||($.eventName="DeletePolicyVersion")||($.eventName="AttachRolePolicy")||($.eventName="DetachRolePolicy")||($.eventName="AttachUserPolicy")||($.eventName="DetachUserPolicy")||($.eventName="AttachGroupPolicy")||($.eventName="DetachGroupPolicy")}

5. Ensure a log metric filter and alarm exist for CloudTrail configuration changes

Filter Pattern: { ($.eventName="CreateTrail") || ($.eventName="UpdateTrail") || ($.eventName="DeleteTrail") || ($.eventName="StartLogging") || ($.eventName="StopLogging")}

6.  Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

Filter Pattern: { ($.eventName="ConsoleLogin") && ($.errorMessage="FailedAuthentication") }

7. Ensure a log metric filter and alarm exist for S3 bucket policy changes

Filter Pattern: { ($.eventSource="s3.amazonaws.com") && (($.eventName="PutBucketAcl") || ($.eventName="PutBucketPolicy") || ($.eventName="PutBucketCors") || ($.eventName="PutBucketLifecycle") || ($.eventName="PutBucketReplication") || ($.eventName="DeleteBucketPolicy") || ($.eventName="DeleteBucketCors") || ($.eventName="DeleteBucketLifecycle") || ($.eventName="DeleteBucketReplication")) }

8. Ensure a log metric filter and alarm exist for security group changes

Filter Pattern: { ($.eventName="AuthorizeSecurityGroupIngress") || ($.eventName="AuthorizeSecurityGroupEgress") || ($.eventName="RevokeSecurityGroupIngress") ||

($.eventName="RevokeSecurityGroupEgress") || ($.eventName="CreateSecurityGroup") ||

($.eventName="DeleteSecurityGroup")}

9. Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

Filter Pattern: { ($.eventName="CreateNetworkAcl") || ($.eventName="CreateNetworkAclEntry") || ($.eventName="DeleteNetworkAcl") || ($.eventName="DeleteNetworkAclEntry") || ($.eventName="ReplaceNetworkAclEntry") || ($.eventName="ReplaceNetworkAclAssociation") }

10. Ensure a log metric filter and alarm exist for VPC changes

Filter Pattern: { ($.eventName="CreateVpc") || ($.eventName="DeleteVpc") || ($.eventName="ModifyVpcAttribute") || ($.eventName="AcceptVpcPeeringConnection") || ($.eventName="CreateVpcPeeringConnection") || ($.eventName="DeleteVpcPeeringConnection") || ($.eventName="RejectVpcPeeringConnection") || ($.eventName="AttachClassicLinkVpc") || ($.eventName="DetachClassicLinkVpc") || ($.eventName="DisableVpcClassicLink") || ($.eventName="EnableVpcClassicLink") }

To create metric filter, we will be following the steps as mentioned,

1. Go to Services --> Management Tools --> CloudWatch

2. Select Logs from the left pane.

3. As I have configured a universal logging CloudWatch Logs Log Group named as "CloudTrail/DefaultLogGroup" in the part 2 of the quest, I will select the same.

4. Then select the "Create Metric Filter" .

5. A two step process will begin. The first sub-step is for pattern designing. Write the first filter pattern in the space provided and select "Assign Metric".

6.  After metric assignment, provide the name of filter and metric. Finally select, "Create Filter" option.

7. A successful message screen will appear.

Following the same steps, I have configured all the 10 filters discussed above. In the next article, we will configure the alarms and check for their notifications.