More Info:

Any unauthorized API calls made within your AWS account should be monitored using CloudWatch alarms to respond quickly to unapproved actions.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWSF, PCI, APRA, MAS, NIST4, SOC2, HIPAA, ISO27001, AWSWAF, HITRUST

Triage and Remediation

Remediation

Using Console

The “Authorization Failures” alarm in AWS CloudWatch should be configured to trigger whenever unauthorized API calls are made. To set this up using the AWS Console:
  1. Sign in to the AWS Management Console.
  2. Navigate to Amazon CloudWatch console.
  3. In the left-hand menu, under Logs, choose Log groups.
  4. Click on the name (link) of the log group associated with your Amazon CloudTrail trail.
  5. Select the Metric filters tab and choose Create metric filter.
  6. On the Create metric filter setup page, perform the following actions:
    • For Step 1: Define pattern, paste the following pattern in the Filter Pattern box:
      {($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}
      This will scan your Amazon CloudTrail logs for “AccessDenied” and “UnauthorizedOperation” events. Choose Next.
    • For Step 2: Assign metric, provide the following information:
      • In the Filter name box, enter a unique name for the new filter.
      • In the Metric namespace box, type CloudTrailMetrics.
      • In the Metric name box, type AuthorizationFailure.
      • In the Metric value box, type 1.
      • (Optional) Choose Count from the Unit – optional dropdown list.
      • Choose Next to continue.
  7. On the Metric filters panel, select the newly created metric filter and choose Create alarm.
  8. On the Create alarm setup page, perform the following actions:
    • For Step 1: Specify metric and conditions:
      • In the Metric section, select Sum from the Statistic list, and choose 5 minutes from the Period dropdown list.
      • In the Conditions section, select Static as Threshold type.
      • For Whenever AuthorizationFailure is, select Greater/Equal (greater than or equal to), and enter 1 in the configuration box to trigger the CloudWatch alarm.
      • Choose Next.
    • For Step 2: Configure actions, define the alarm state that will trigger the CloudWatch alarm action:
      • Select In alarm under Alarm state trigger.
      • Choose Select an existing SNS topic and select the name of the SNS topic created at Step 1.
      • Choose Next.
    • For Step 3: Add name and description, provide a unique name and a short description for your new CloudWatch alarm. Choose Next.
    • For Step 4: Preview and create, review the alarm configuration details, then choose Create alarm.
      Once the alarm is created, its State (status) will change from Insufficient data to OK.

The Authorization Failures alarm in AWS can also be created and managed using the AWS CLI. Follow these steps:
  1. Create the required CloudWatch metric filter and associate it with your Amazon CloudTrail trail. The pattern used will scan for AccessDenied and UnauthorizedOperation events.
Run this command to create the metric filter:
aws logs put-metric-filter \
   --region us-east-1 \
   --log-group-name cc-project5-log-group \
   --filter-name AWSCloudAuthorizationFailure \
   --filter-pattern '{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}' \
   --metric-transformations metricName=AuthorizationFailure,metricNamespace=CloudTrailMetrics,metricValue=1
  1. Create the CloudWatch alarm to monitor the authorization failures:
aws cloudwatch put-metric-alarm \
  --region us-east-1 \
  --alarm-name "AWSAuthorizationFailureAlarm" \
  --alarm-description "Triggered when unauthorized AWS API calls are made" \
  --metric-name AuthorizationFailure \
  --namespace CloudTrailMetrics \
  --statistic Sum \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --period 300 \
  --threshold 1 \
  --actions-enabled \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic
The “Authorization Failures” alarm in AWS CloudWatch is triggered when there are failed attempts to access AWS resources due to insufficient permissions. To remediate this issue using Python, follow these steps:
  1. First, set up the required metric filter and alarm in CloudWatch using the Boto3 library:
import boto3

# Initialize clients for CloudWatch Logs and CloudWatch
logs_client = boto3.client('logs')
cw_client = boto3.client('cloudwatch')

# Create metric filter
logs_client.put_metric_filter(
    logGroupName='cc-project5-log-group',
    filterName='AWSCloudAuthorizationFailure',
    filterPattern='{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}',
    metricTransformations=[
        {
            'metricName': 'AuthorizationFailure',
            'metricNamespace': 'CloudTrailMetrics',
            'metricValue': '1'
        }
    ]
)

# Create CloudWatch alarm
cw_client.put_metric_alarm(
    AlarmName='AWSAuthorizationFailureAlarm',
    AlarmDescription='Triggered when unauthorized AWS API calls are made',
    MetricName='AuthorizationFailure',
    Namespace='CloudTrailMetrics',
    Statistic='Sum',
    Period=300,
    EvaluationPeriods=1,
    Threshold=1,
    ComparisonOperator='GreaterThanOrEqualToThreshold',
    AlarmActions=['arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic']
)
  1. This Python script will automatically set up the metric filter and alarm to monitor any authorization failures across your AWS account.

Additional Reading: