AWS CloudWatch Log Metric & Alarm for Unauthorized API calls

It is advocated for users to set up a metric filter and alarm for unauthorized API calls. Monitoring unauthorized API calls will facilitate to revealing of application errors and most likely will shrink the time to detect malicious interest.

Two things need to be done:

• Creation of a Metric Filter for specific CloudTrail log events.
• Creation of a CloudWatch alarm for the filter.

1. Creation of Metric Filter

• Login to AWS Traverse to CloudWatch.
• In the left pane, click Log Groups and select the wanted log group. The log group must be assigned to a multi-region CloudTrail trail that has logging enabled.
• Select Metric filters > Create Metric Filter.
• In Filter pattern, enter the following: { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }
• Click Next.
• In the Filter name, type AuthorizationFailures.
• In the Metric namespace, type CloudTrailMetrics.
• In the Metric name, type AuthorizationFailureCount.
• In Metric value, type 1.
• Click Next > Create metric filter.

2. Generate an Alarm

• Check the checkbox near the recently created metric filter and click Create alarm.
• Select the Threshold type.
• State the alarm condition and threshold value.
• Click Next.
• In the Alarm state trigger, select In alarm.

Now you have 3 options: Select an already present SNS topic, create a new topic, or use topic ARN.
Observe that the SNS topic must have a minimum of 1 subscriber.

• If you choose to create a new topic, enter a name in Create a new topic.
• Enter a valid email address in email endpoints that will receive the notification.
• Click Create topic.
• Click Next.
• Enter an Alarm name.
• Enter an alarm description. [not mandatory]
• Click Next > Create alarm.

Done! 👍
You will now receive email/SMS alerts whenever any unwanted authorization failures occur.

Ref: https://docs.fugue.co/FG_R00055.html