Filters and Alarms in CloudWatch

Log Metric Filters and Alarms in CloudWatch
Amazon CloudWatch gives you the ability to create log metric filters and alarms. These alerts can be configured to monitor specific conditions that you are concerned about. AWS explains, “You can search and filter the log data coming into CloudWatch Logs by creating one or more metric filters. Metric filters define the terms and patterns to look for in log data as it is sent to CloudWatch Logs. CloudWatch Logs uses these metric filters to turn log data into numerical CloudWatch metrics that you can graph or set an alarm on.”

The CIS AWS Foundations Benchmark outlines 14 recommendations for log metric filters and alarms that should be active in CloudWatch, including log metric filters and alarms for:

  • Unauthorized API calls
  • AWS Management Console sign-in without MFA 
  • Use of the “root” account
  • IAM policy changes
  • CloudTrail configuration changes 
  • AWS Management Console authentication failures 
  • Disabling or schedule deletion of customer-created CMK 
  • S3 bucket policy changes 
  • AWS Config configuration changes 
  • Security group changes 
  • Changes to NACLs 
  • Changes to network gateways 
  • Route table changes
  • VPC changes 

To learn more about CloudWatch, visit the AWS documentation on creating metrics from log events using filters

Amazon CloudWatch allows you to create log metric filters and alarms. They can be used to create alerts that notify you of particular situations or particular things you’re monitoring in the environment that you need to be worried about. There are seven particularly important ones identified by the CIS: 1) Customer-created, customer-managed keys 2) CloudTrail configuration changes 3) AWS management console failed logins 4) S3 bucket policy changes 5) Security group changes 6) Changes to network gateways 7) VPC changes.

The first thing you want to monitor for is customer-managed keys, specifically the scheduled deletion or actual deletion of those keys. Those keys are what you use to encrypt things, so it’s important that you keep track of them and know if they’ve been deleted. Your CloudTrail environment is your authoritative logs. Any configuration changes to the CloudTrail environment are definitely something you want to know about and a metric worth alerting on. Failed logins to the AWS Management Console can represent something as simple as a mistyped password or a coordinated attack on your environment. Knowing when there’s a failed login to your AWS Management Console gives you a chance to react, if necessary. S3 buckets are where you store your environment’s information. It can be CloudTrail logs, it can be public information, it can be sensitive private information. Alerting on changes to the S3 bucket policies gives you the chance to ensure the security of that environment. Elastic servers are protected by security groups. Changes to these security groups should be monitored for and alerted by with the security group change metrics. Changes to network gateways will impact the communication between subnets within your VPC. Those changes can be monitored for and alerted with the changes to network gateway metric. Certainly, VPC changes that affect your entire environment should be monitored for and alerts should be generated as necessary. 

While there are many log metrics that can be used to monitor and alert on specific changes, these are the seven that are identified by the CIS as seven of the most important. It’s encouraged by AWS and security professionals that you investigate other ones that may be useful to your environment.

Related Videos