CloudTrail Changes Alarm

More Info:

All AWS CloudTrail configuration changes should be monitored using CloudWatch alarms.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWSF, PCI, GDPR, APRA, MAS, NIST4, SOC2, HIPAA, ISO27001, NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

The CloudTrail Changes Alarm monitors changes in CloudTrail configuration. Here are the steps to set up the alarm using AWS CLI:

Run the following command to create a CloudWatch metric filter and associate it with the CloudTrail log group:

aws logs put-metric-filter
    --region us-east-1
    --log-group-name CloudTrail/MyCloudTrailLG
    --filter-name AWSCloudTrailChanges
    --filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'
    --metric-transformations metricName=CloudTrailEventCount,metricNamespace=CloudTrailMetrics,metricValue=1

Use the following command to create a CloudWatch alarm triggered by changes to CloudTrail:

aws cloudwatch put-metric-alarm
    --region us-east-1
    --alarm-name "CloudTrail Changes"
    --alarm-description "Triggered by AWS CloudTrail configuration changes."
    --metric-name CloudTrailEventCount
    --namespace CloudTrailMetrics
    --statistic Sum
    --comparison-operator GreaterThanOrEqualToThreshold
    --evaluation-periods 1
    --period 300
    --threshold 1
    --actions-enabled
    --alarm-actions arn:aws:sns:us-east-1:123456789012

These commands set up the CloudWatch alarm to monitor CloudTrail configuration changes using AWS CLI.

Using Python

To remediate the CloudTrail Changes Alarm misconfiguration using Python, we can use the AWS SDK for Python (boto3) to automate both the CloudTrail and CloudWatch configurations. Here’s a sample code:

import boto3

# Enable CloudWatch Logs for CloudTrail
def enable_cloudtrail_logs(trail_name, log_group_arn, role_arn):
 client = boto3.client('cloudtrail')
 response = client.update_trail(
     Name=trail_name,
     CloudWatchLogsLogGroupArn=log_group_arn,
     CloudWatchLogsRoleArn=role_arn
 )
 return response

# Create or update a CloudWatch alarm
def create_cloudtrail_alarm(alarm_name, metric_name, sns_topic_arn):
 client = boto3.client('cloudwatch')
 response = client.put_metric_alarm(
     AlarmName=alarm_name,
     MetricName=metric_name,
     Namespace='CloudTrailMetrics',
     Statistic='Sum',
     Period=300,
     EvaluationPeriods=1,
     Threshold=1,
     ComparisonOperator='GreaterThanOrEqualToThreshold',
     AlarmActions=[sns_topic_arn],
     OKActions=[sns_topic_arn],
     Dimensions=[
         {
             'Name': 'TrailName',
             'Value': 'my-trail'
         }
     ]
 )
 return response

# Usage example:
enable_cloudtrail_logs(
 trail_name='my-trail',
 log_group_arn='arn:aws:logs:us-east-1:123456789012:log-group:/aws/cloudtrail/my-trail',
 role_arn='arn:aws:iam::123456789012:role/MyCloudTrailRole'
)

create_cloudtrail_alarm(
 alarm_name='CloudTrail Changes',
 metric_name='CloudTrailEventCount',
 sns_topic_arn='arn:aws:sns:us-east-1:123456789012:my-sns-topic'
)

This script enables CloudWatch logs for your CloudTrail and sets up a CloudWatch alarm for tracking changes to your CloudTrail configurations.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

CloudTrail Changes Alarm

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: