Total Pageviews

Translate

June 21, 2018

AWS Logging and Analysis - Part 6.1 - Configuring CloudWatch Metrics and Alarms

by 4hathacker  |  in AWS Logging and Analysis at  10:31 PM

Hi folks!!!

Welcome to AWS Logging and Analysis quest...



In this post, we will be configuring metrics and alarms using the CloudWatch service in AWS. CloudWatch provides us a lot of information to monitor AWS resources in real time. Monitoring can be done based on rules, event patterns, filters based on event names, etc.

We have configured CloudWatch Logs Log Group (CloudTrail/DefaultLogGroup) and discussed about log events in the Part 2 and Part 3 of this quest. Feel free to have a look at them before going through this post.

In this article, we will be creating metric filters for the log group. We will be setting alarms and a notification topic. Whenever the filter matched event is found, the CloudWatch will notify us over mail. While creating filter patterns, we will use OR-ing (||) and AND-ing (&&) operations with different attributes of CloudTrail Log events. We will create around 10 metric filters for critical log events considering the AWS-CIS-Foundation-Benchmarks. In the Monitoring section of this document, following recommendations are provided,

1. Ensure a log metric filter and alarm exist for unauthorized API calls
Filter Pattern: { ($.errorCode="*UnauthorizedOperation") || ($.errorCode="AccessDenied") }

2. Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
Filter Pattern: { ($.eventName="ConsoleLogin") && ($.additionalEventData.MFAUsed!="Yes") }

3. Ensure a log metric filter and alarm exist for usage of "root" acount
Filter Pattern: { $.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType!="AwsServiceEvent"}

4. Ensure a log metric filter and alarm exist for IAM policy changes
Filter Pattern:{($.eventName="DeleteGroupPolicy") || ($.eventName="DeleteRolePolicy")||($.eventName="Delete UserPolicy")||($.eventName="PutGroupPolicy")||($.eventName="PutRolePolicy")||($.eventName="PutUserPolicy")||($.eventName="CreatePolicy")||($.eventName="DeletePolicy")||($.eventName="CreatePolicyVersion")||($.eventName="DeletePolicyVersion")||($.eventName="AttachRolePolicy")||($.eventName="DetachRolePolicy")||($.eventName="AttachUserPolicy")||($.eventName="DetachUserPolicy")||($.eventName="AttachGroupPolicy")||($.eventName="DetachGroupPolicy")}

5. Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Filter Pattern: { ($.eventName="CreateTrail") || ($.eventName="UpdateTrail") || ($.eventName="DeleteTrail") || ($.eventName="StartLogging") || ($.eventName="StopLogging")}

6.  Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Filter Pattern: { ($.eventName="ConsoleLogin") && ($.errorMessage="FailedAuthentication") }

7. Ensure a log metric filter and alarm exist for S3 bucket policy changes
Filter Pattern: { ($.eventSource="s3.amazonaws.com") && (($.eventName="PutBucketAcl") || ($.eventName="PutBucketPolicy") || ($.eventName="PutBucketCors") || ($.eventName="PutBucketLifecycle") || ($.eventName="PutBucketReplication") || ($.eventName="DeleteBucketPolicy") || ($.eventName="DeleteBucketCors") || ($.eventName="DeleteBucketLifecycle") || ($.eventName="DeleteBucketReplication")) }

8. Ensure a log metric filter and alarm exist for security group changes
Filter Pattern: { ($.eventName="AuthorizeSecurityGroupIngress") || ($.eventName="AuthorizeSecurityGroupEgress") || ($.eventName="RevokeSecurityGroupIngress") ||
($.eventName="RevokeSecurityGroupEgress") || ($.eventName="CreateSecurityGroup") ||
($.eventName="DeleteSecurityGroup")}

9. Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Filter Pattern: { ($.eventName="CreateNetworkAcl") || ($.eventName="CreateNetworkAclEntry") || ($.eventName="DeleteNetworkAcl") || ($.eventName="DeleteNetworkAclEntry") || ($.eventName="ReplaceNetworkAclEntry") || ($.eventName="ReplaceNetworkAclAssociation") }

10. Ensure a log metric filter and alarm exist for VPC changes
Filter Pattern: { ($.eventName="CreateVpc") || ($.eventName="DeleteVpc") || ($.eventName="ModifyVpcAttribute") || ($.eventName="AcceptVpcPeeringConnection") || ($.eventName="CreateVpcPeeringConnection") || ($.eventName="DeleteVpcPeeringConnection") || ($.eventName="RejectVpcPeeringConnection") || ($.eventName="AttachClassicLinkVpc") || ($.eventName="DetachClassicLinkVpc") || ($.eventName="DisableVpcClassicLink") || ($.eventName="EnableVpcClassicLink") }

To create metric filter, we will be following the steps as mentioned,

1. Go to Services --> Management Tools --> CloudWatch

2. Select Logs from the left pane.

3. As I have configured a universal logging CloudWatch Logs Log Group named as "CloudTrail/DefaultLogGroup" in the part 2 of the quest, I will select the same.

4. Then select the "Create Metric Filter" .

5. A two step process will begin. The first sub-step is for pattern designing. Write the first filter pattern in the space provided and select "Assign Metric".

6.  After metric assignment, provide the name of filter and metric. Finally select, "Create Filter" option.

7. A successful message screen will appear.

Following the same steps, I have configured all the 10 filters discussed above. In the next article, we will configure the alarms and check for their notifications.


0 comments:

Like Our Facebook Page

Nitin Sharma's DEV Profile
Proudly Designed by 4hathacker.