It is advocated for users to set up a metric filter and alarm for unauthorized API calls. Monitoring unauthorized API calls will facilitate to revealing of application errors and most likely will shrink the time to detect malicious interest.
Two things need to be done:
- Creation of a Metric Filter for specific CloudTrail log events.
- Creation of a CloudWatch alarm for the filter.
1. Creation of Metric Filter
- Login to AWS Traverse to
CloudWatch
. - In the left pane, click
Log Groups
and select the wanted log group. The log group must be assigned to a multi-region CloudTrail trail that has logging enabled. - Select
Metric filters
>Create Metric Filter
. - In
Filter pattern
, enter the following:{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }
- Click Next.
- In the
Filter
name, typeAuthorizationFailures
. - In the
Metric namespace
, typeCloudTrailMetrics
. - In the
Metric name
, typeAuthorizationFailureCount
. - In
Metric value
, type1
. - Click Next > Create metric filter.
2. Generate an Alarm
- Check the
checkbox
near the recently created metric filter and clickCreate alarm
. - Select the
Threshold type
. - State the alarm condition and threshold value.
- Click Next.
- In the
Alarm state trigger
, selectIn alarm.
Now you have 3 options: Select an already present SNS topic, create a new topic, or use topic ARN.
Observe that the SNS topic must have a minimum of 1 subscriber.
- If you choose to create a new topic, enter a name in
Create a new topic
. - Enter a valid email address in
email endpoints
that will receive the notification. - Click
Create topic
. - Click Next.
- Enter an
Alarm name
. - Enter an
alarm description
. [not mandatory] - Click Next >
Create alarm
.
Done! 👍
You will now receive email/SMS alerts whenever any unwanted authorization failures occur.
Top comments (0)