AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
IAM Policy Changes Alarm
More Info:
AWS IAM policy configuration changes should be monitored using CloudWatch alarms.
Risk Level
High
Address
Security
Compliance Standards
SOC2, HIPAA, ISO27001, AWSWAF, HITRUST, CISAWS, CBP, NISTCSF, PCIDSS
Triage and Remediation
Remediation
-
Configure CloudTrail to Deliver Logs to CloudWatch Logs:
- Go to the AWS Management Console.
- Open the CloudTrail service.
- Select your trail.
- Click on “Edit”.
- In the “CloudWatch Logs” section, select an existing log group or create a new one.
- Click “Save changes”.
-
Create Metric Filter and Alarm:
- Go to the CloudWatch service in the AWS Management Console.
- In the left-hand navigation pane, choose “Logs” and then select the log group you configured in CloudTrail.
- Click on “Create metric filter”.
- Define a filter pattern that matches IAM policy changes. For example, you might use a pattern like
{ $.eventSource = "iam.amazonaws.com" && $.eventName = "AttachRolePolicy" }. - Click “Assign metric”.
- Give your metric a name like
IAMPolicyChangesEventCount. - Click “Create filter”.
- Once your filter is created, you can set up an alarm based on this metric.
-
Create Metric Filter:
aws logs put-metric-filter \ --log-group-name "YOUR_LOG_GROUP_NAME" \ --filter-name "IAMPolicyChangesFilter" \ --filter-pattern '{ $.eventSource = "iam.amazonaws.com" && $.eventName = "AttachRolePolicy" }' \ --metric-transformations "metricName=IAMPolicyChangesEventCount,metricNamespace=CloudTrailMetrics,metricValue=1"Replace
"YOUR_LOG_GROUP_NAME"with the name of your CloudTrail log group. -
Create CloudWatch Alarm (optional): Use the
put-metric-alarmcommand to create an alarm based on the metric you created.
import boto3
cloudwatch_logs = boto3.client('logs')
cloudwatch = boto3.client('cloudwatch')
# Create Metric Filter
response = cloudwatch_logs.put_metric_filter(
logGroupName='YOUR_LOG_GROUP_NAME',
filterName='IAMPolicyChangesFilter',
filterPattern='{ $.eventSource = "iam.amazonaws.com" && $.eventName = "AttachRolePolicy" }',
metricTransformations=[
{
'metricName': 'IAMPolicyChangesEventCount',
'metricNamespace': 'CloudTrailMetrics',
'metricValue': 1
}
]
)
# Create CloudWatch Alarm (optional)
# You can use cloudwatch.put_metric_alarm() to create an alarm based on the metric
Replace "YOUR_LOG_GROUP_NAME" with the name of your CloudTrail log group.
These steps should help you set up the IAMPolicyChangesEventCount metric in CloudWatch using the AWS Console, AWS CLI, or Python script. Remember to adjust the configuration according to your specific use case and environment.