Triage and Remediation
Remediation
Using Console
Using Console
The “Authorization Failures” alarm in AWS CloudWatch should be configured to trigger whenever unauthorized API calls are made. To set this up using the AWS Console:
- Sign in to the AWS Management Console.
- Navigate to Amazon CloudWatch console.
- In the left-hand menu, under Logs, choose Log groups.
- Click on the name (link) of the log group associated with your Amazon CloudTrail trail.
- Select the Metric filters tab and choose Create metric filter.
-
On the Create metric filter setup page, perform the following actions:
-
For Step 1: Define pattern, paste the following pattern in the Filter Pattern box:
{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}
This will scan your Amazon CloudTrail logs for “AccessDenied” and “UnauthorizedOperation” events. Choose Next. -
For Step 2: Assign metric, provide the following information:
- In the Filter name box, enter a unique name for the new filter.
- In the Metric namespace box, type
CloudTrailMetrics. - In the Metric name box, type
AuthorizationFailure. - In the Metric value box, type
1. - (Optional) Choose Count from the Unit – optional dropdown list.
- Choose Next to continue.
-
For Step 1: Define pattern, paste the following pattern in the Filter Pattern box:
- On the Metric filters panel, select the newly created metric filter and choose Create alarm.
-
On the Create alarm setup page, perform the following actions:
-
For Step 1: Specify metric and conditions:
- In the Metric section, select Sum from the Statistic list, and choose 5 minutes from the Period dropdown list.
- In the Conditions section, select Static as Threshold type.
- For Whenever AuthorizationFailure is, select Greater/Equal (greater than or equal to), and enter
1in the configuration box to trigger the CloudWatch alarm. - Choose Next.
-
For Step 2: Configure actions, define the alarm state that will trigger the CloudWatch alarm action:
- Select In alarm under Alarm state trigger.
- Choose Select an existing SNS topic and select the name of the SNS topic created at Step 1.
- Choose Next.
- For Step 3: Add name and description, provide a unique name and a short description for your new CloudWatch alarm. Choose Next.
-
For Step 4: Preview and create, review the alarm configuration details, then choose Create alarm.
Once the alarm is created, its State (status) will change from Insufficient data to OK.
-
For Step 1: Specify metric and conditions:
Using CLI
Using CLI
The Authorization Failures alarm in AWS can also be created and managed using the AWS CLI. Follow these steps:
- Create the required CloudWatch metric filter and associate it with your Amazon CloudTrail trail. The pattern used will scan for
AccessDeniedandUnauthorizedOperationevents.
- Create the CloudWatch alarm to monitor the authorization failures:
Using Python
Using Python
The “Authorization Failures” alarm in AWS CloudWatch is triggered when there are failed attempts to access AWS resources due to insufficient permissions. To remediate this issue using Python, follow these steps:
- First, set up the required metric filter and alarm in CloudWatch using the Boto3 library:
- This Python script will automatically set up the metric filter and alarm to monitor any authorization failures across your AWS account.