AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudTrail Changes Alarm
More Info:
All AWS CloudTrail configuration changes should be monitored using CloudWatch alarms.
Risk Level
Medium
Address
Security
Compliance Standards
CISAWSF, PCI, GDPR, APRA, MAS, NIST4, SOC2, HIPAA, ISO27001, NISTCSF
Triage and Remediation
Remediation
Here are the step-by-step instructions to remediate the CloudTrail Changes Alarm misconfiguration in AWS using the AWS console:
-
Sign in to your AWS account and navigate to the CloudWatch service.
-
In the left-hand menu, select “Logs”.
-
Select the log group created for your CloudTrail trail event logs and click on the “Create Metric Filter” button.
-
On the Define Logs Metric Filter page, in the Filter Pattern box, enter the following pattern:
{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }
This pattern monitors CloudTrail for changes like creating, updating, or deleting trails.
-
Review the metric filter details and click Assign Metric.
-
On the next page, provide the following details:
- Filter Name: Enter a name like
AWSCloudTrailChanges. - Metric Namespace: Enter
CloudTrailMetrics. - Metric Name: Enter
CloudTrailEventCount. - Click Show advanced metric settings, and in the Metric Value box, enter
1.
- Filter Name: Enter a name like
-
Review the details and click Create Filter.
-
Now, click Create Alarm for the filter created in the previous step.
-
In the Create Alarm dialog, configure the following:
- Alarm Name: Enter
CloudTrail Changes. - Threshold: Set the threshold value to
1(greater than or equal to 1). - Actions: Click the + Notification button, select State is ALARM, and choose an SNS topic for notifications.
- Period: Select
5 Minutesfrom the dropdown. - Statistic: Set to
Sum.
- Alarm Name: Enter
-
Review the configuration and click Create Alarm to finalize.
That’s it! You have successfully remediated the CloudTrail Changes Alarm misconfiguration in AWS using the AWS console.
The CloudTrail Changes Alarm monitors changes in CloudTrail configuration. Here are the steps to set up the alarm using AWS CLI:
- Run the following command to create a CloudWatch metric filter and associate it with the CloudTrail log group:
aws logs put-metric-filter
--region us-east-1
--log-group-name CloudTrail/MyCloudTrailLG
--filter-name AWSCloudTrailChanges
--filter-pattern '{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }'
--metric-transformations metricName=CloudTrailEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
- Use the following command to create a CloudWatch alarm triggered by changes to CloudTrail:
aws cloudwatch put-metric-alarm
--region us-east-1
--alarm-name "CloudTrail Changes"
--alarm-description "Triggered by AWS CloudTrail configuration changes."
--metric-name CloudTrailEventCount
--namespace CloudTrailMetrics
--statistic Sum
--comparison-operator GreaterThanOrEqualToThreshold
--evaluation-periods 1
--period 300
--threshold 1
--actions-enabled
--alarm-actions arn:aws:sns:us-east-1:123456789012
These commands set up the CloudWatch alarm to monitor CloudTrail configuration changes using AWS CLI.
To remediate the CloudTrail Changes Alarm misconfiguration using Python, we can use the AWS SDK for Python (boto3) to automate both the CloudTrail and CloudWatch configurations. Here’s a sample code:
import boto3
# Enable CloudWatch Logs for CloudTrail
def enable_cloudtrail_logs(trail_name, log_group_arn, role_arn):
client = boto3.client('cloudtrail')
response = client.update_trail(
Name=trail_name,
CloudWatchLogsLogGroupArn=log_group_arn,
CloudWatchLogsRoleArn=role_arn
)
return response
# Create or update a CloudWatch alarm
def create_cloudtrail_alarm(alarm_name, metric_name, sns_topic_arn):
client = boto3.client('cloudwatch')
response = client.put_metric_alarm(
AlarmName=alarm_name,
MetricName=metric_name,
Namespace='CloudTrailMetrics',
Statistic='Sum',
Period=300,
EvaluationPeriods=1,
Threshold=1,
ComparisonOperator='GreaterThanOrEqualToThreshold',
AlarmActions=[sns_topic_arn],
OKActions=[sns_topic_arn],
Dimensions=[
{
'Name': 'TrailName',
'Value': 'my-trail'
}
]
)
return response
# Usage example:
enable_cloudtrail_logs(
trail_name='my-trail',
log_group_arn='arn:aws:logs:us-east-1:123456789012:log-group:/aws/cloudtrail/my-trail',
role_arn='arn:aws:iam::123456789012:role/MyCloudTrailRole'
)
create_cloudtrail_alarm(
alarm_name='CloudTrail Changes',
metric_name='CloudTrailEventCount',
sns_topic_arn='arn:aws:sns:us-east-1:123456789012:my-sns-topic'
)
This script enables CloudWatch logs for your CloudTrail and sets up a CloudWatch alarm for tracking changes to your CloudTrail configurations.