Important CloudWatch Monitoring Metrics Missing

Ths plugin ensures important and sensetive metric filters are set up for CloudWatch logs to detect security risks from CloudTrail.

Risk Level: Medium

Description

Ths plugin ensures important and sensetive metric filters are set up for CloudWatch logs to detect security risks from CloudTrail. Without setting up metric filters, extracting useful information from the CloudTrail logs by CloudWatch will be a tedious task. It is recommended to have important metric filters enabled to capture the potential security threat alerts.

About the Service

Amazon CloudWatch: Amazon CloudWatch is a monitoring service for developers and Dev Ops Engineers. CloudWatch gives you the actionable information and data you need to monitor your applications, and optimize resource utilization. The logs generated can then be utilized to derive important conclusions in case the system is compromised.

Important CloudWatch Metrics

Following are the the important metrics that needs to be enabled to NOT miss any security sensitive alert:

Name

Pattern

Unauthorized API Calls

{ ($.errorCode = *UnauthorizedOperation) || ($.errorCode = AccessDenied*) }

Sign In Without MFA

{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }

Root Account Usage

{ $.userIdentity.type = Root && $.userIdentity.invokedBy NOT EXISTS && $.eventType != AwsServiceEvent }

IAM Policy Changes

{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}

CloudTrail Configuration Changes

{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }

Sign In Failures

{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }

Disabled CMKs

{($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion)) }

S3 Policy Changes

{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }

ConfigService Changes

{($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}

Security Group Changes

{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}

Network ACL Changes

{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }

Network Gateway Changes

{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }

Route Table Changes

{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }

VPC Changes

{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }

Impact

According to the AWS documentation, metric filters are used to extract metric observations from ingested events and transform them to data points in a CloudWatch metric. Metric Filters are important to derive critical conclusions from the events captured by the log stream. In the absence of these important metric filters, you might miss out on the potential security threats.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon CloudTrail Management Console. You can use this link (https://console.aws.amazon.com/cloudtrail) to navigate directly if already logged in. 
  3. Move to Trails from the left navigation pane.
  4. From the list of trails, look for the CloudWatch Logs Log Group Name column. Note down the name of the Log Group attached with the trail.
  5. Now, move to the CloudWatch management console using the link. (https://console.aws.amazon.com/cloudwatch)
  6. Move to the Log Groups in the Logs section from the left navigation pane.
  7. From the list of log groups, click on the earlier noted Log Group by clicking on its Name.
  8. Switch to the Metric Filters tab. 
  9. From the list generated, check for all the metric filter patterns mentioned before. If any one of them is missing, the vulnerability exists.
  10. Repeat the steps for all the other CloudWatch Logs.

Steps for Remediation

Enable the important metric filters to detect malicious activity in CloudTrail logs sent to CloudWatch.

  1. Log In to your AWS Console.
  2. Open the Amazon CloudWatch Management Console. You can use this link (https://console.aws.amazon.com/cloudwatch) to navigate directly if already logged in. 
  3. Move to the Log Groups in the Logs section from the left navigation pane.
  4. From the list of log groups, click on the vulnerable Log Group by clicking on its Name.
  5. Switch to the Metric Filters tab. 
  6. Click on the Create Metric Filter button. Now, follow the basic steps to create a Metric Filter. 
  7. In the Filter Pattern section, type the pattern missing.
  8. Click on Create when done.
  9. Repeat steps 4 to 9 for all the vulnerable Log Groups.