Open menu
-->

Enable AWS CloudTrail integration with CloudWatch

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure AWS CloudTrail events are being monitored with CloudWatch Logs for management and security purposes. This enables you to respond quickly to critical operational events detected with CloudTrail events and captured by CloudWatch logs.

This rule resolution is part of the Cloud Conformity Security Package

With CloudTrail - CloudWatch integration enabled you will be able to manage better your AWS infrastructure. For example, you can receive an SNS notification whenever an authorization failure occurs for your AWS account so you can have finer control over the account user access. Note: this procedure assume that you have already one or more working CloudTrail trails created in your AWS account.

Audit

To determine if CloudWatch integration is enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

01 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

01 In the left navigation panel, select Trails.

01 Under Name column, select the trail name that you need to examine.

cloudtrail-cloudwatch-log

01 And check the CloudWatch Logs (Optional) section:

check the CloudWatch Logs section for any log groups available

for any log groups available. If there aren't any CloudWatch Logs log groups defined, you must create one in order to enable CloudTrail integration with CloudWatch (see 'Remediation/Resolution' task).

Using AWS CLI

01 Run describe-log-groups command (OSX/Linux/UNIX) to list all CloudWatch log groups that are associated with AWS CloudTrail:

aws logs describe-log-groups

The command output should return a JSON object ( https://en.wikipedia.org/wiki/JSON ) for each log group available in your AWS account:

  1. If there aren't any log groups created, the logGroups list should be empty []:
    {
        "logGroups": []
    }
    
  2. If the command output reveal one or more log groups, search for the “CloudTrail” prefix inserted before the log group name to identify any groups associated with the CloudTrail service:
    {
        "logGroups": [
            {
                "arn": "arn:aws:logs:us-east-1:123456789012:
                        log-group:CloudTrail/MyCloudTrailLG:*",
                "creationTime": 1460100817638,
                "metricFilterCount": 0,
                "logGroupName": "CloudTrail/MyCloudTrailLG",
                "storedBytes": 0
            }
        ]
    }
    

Remediation / Resolution

Step 1: Create a custom log group for the selected CloudTrail trail in order to enable AWS CloudWatch monitoring:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to check.

05 In the CloudWatch Logs (Optional) section, click the Configure button to add a log group.

05 In the New or existing log group field, enter a name for a new or existing CloudWatch log group and click Continue.

06 Create an IAM role for CloudTrail, required to deliver events to the log stream:

  1. Click View Details.
  2. By default, the CloudTrail_CloudWatchLogs_Role role and its policy are selected: By default, the CloudTrail_CloudWatchLogs_Role role and its policy are selected. The default role policy contains the permissions required for creating a CloudWatch log stream and delivering CloudTrail events to that log stream. You can use the default role or create a new one.
  3. Click Allow: Click Allow to finish the log group setup process.

Using AWS CLI

01Run create-log-group command (OSX/Linux/UNIX) to create the CloudWatch log group required by AWS CloudTrail:

aws logs create-log-group
	--log-group-name CloudTrail/MyCloudTrailLG

02Create the necessary assume role policy document for the CloudTrail_CloudWatchLogs_Role IAM role and paste the following content in a file named assume_role_policy_document.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

03Run create-role command (OSX/Linux/UNIX) to create the CloudTrail_CloudWatchLogs_Role role that enables CloudTrail to send events to the CloudWatch log group:

aws aws iam create-role
	--role-name CloudTrail_CloudWatchLogs_Role
	--assume-role-policy-document file://assume_role_policy_document.json

04Create the policy document that will be attached to the CloudTrail_CloudWatchLogs_Role IAM role and which will grant CloudTrail the required permissions to create CloudWatch log streams in the log group created earlier. Make sure that you replace the highlighted values with your own data and save the policy in a file named cloudtrail-role-policy-document.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailCreateLogStream20160407",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream"
      ],
      "Resource": [
        "arn:aws:logs: us-east-1: 909466854460:log-group:
         CloudTrail/MyCloudTrailLG:
         log-stream:909466854460_CloudTrail_ us-east-1*"
      ]
    },
    {
      "Sid": "AWSCloudTrailPutLogEvents20160407",
      "Effect": "Allow",
      "Action": [
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs: us-east-1: 909466854460:log-group:
         CloudTrail/MyCloudTrailLG:
         log-stream:909466854460_CloudTrail_ us-east-1*"
      ]
    }
  ]
}

05 Run put-role-policy command (OSX/Linux/UNIX) to apply the policy document saved in cloudtrail-role-policy-document.json file to the CloudTrail_CloudWatchLogs_Role IAM role:

aws iam put-role-policy
	--role-name CloudTrail_CloudWatchLogs_Role
	--policy-name cloudtrail-policy
	--policy-document file://cloudtrail-role-policy-document.json

06 Run update-trail command (OSX/Linux/UNIX) to update your trail configuration with the log group and IAM role information. Make sure that you replace any highlighted values with your own data:

aws cloudtrail update-trail
	--name MyCloudTrail
	--cloud-watch-logs-log-group-arn
	arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/MyCloudTrailLG:*
	--cloud-watch-logs-role-arn
	arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role

Step 2: create a Simple Notification Service (SNS) topic in order to send notifications whenever the CloudWatch alarm will fire based on a selected CloudTrail log event:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name (optional) for the topic and click Create Topic.

05 Select the newly created SNS topic by clicking on its ARN name:

Select the newly created SNS topic by clicking on its ARN

06 Under Subscription section, click Create Subscription.

07 Select a subscription protocol from the Protocol dropdown list (in this case email).

08 Enter the email address where you can receive CloudWatch alarm notifications and click Create Subscription:

click Create Subscription

09 Use your email client application and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a SNS topic for sending notifications:

	aws sns create-topic
		--name MySNSTopic

02 The command output should return the new SNS topic ARN (Amazon Resource Name):

{
    "TopicArn": "arn:aws:sns:us-east-1:123456789012:MySNSTopic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification-endpoint (in this case email):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:MySNSTopic
	--protocol email
	--notification-endpoint admin@domain.com

04 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint selected (in this case email):

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:MySNSTopic
	--token 6554392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da717458

Step 3: Create AWS CloudWatch metric filters, metrics and alarms to receive SNS notifications and take immediate action. The scenario used here will suppose that you need to receive an SNS notification whenever an authorization failure occurs for your AWS account:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, select Logs.

04 Select the log group created for your trail event logs and click Create Metric Filter button.

05 Under Define Logs Metric Filter section, select Filter Pattern and type the following pattern: { $.errorCode = "AccessDenied" || $.errorCode = "UnauthorizedOperation" }/. This will scan the CloudTrail events for the strings “AccessDenied” and “UnauthorizedOperation” using a metric filter.

06 Review the metric filter details and click Assign Metric:

Review the metric filter details and click Assign Metric

07 Select Metric Name field and enter a name for the metric identifier.

08 Select Metric Value field and enter 1 as value. Each occurrence of “AccessDenied” or “UnauthorizedOperation” will increase the value of the metric by 1.

09 Review the metric details and click Create Filter:

Review the metric details and click Create Filter

10 Click Create Alarm:

Click Create Alarm

11 In the Create Alarm dialog box, define the following:

  1. Select the Name field and provide a name for the CloudWatch alarm.
  2. Set 1 as threshold value that will trigger the alarm on every authorization failure: Set 1 as threshold value
  3. Set up a time period of 1 minute to fire the alarm if one or more failures occur per minute: Set up a time period of 1 minute to fire the alarm
  4. Set up the alarm state, notification topic and notification endpoint: Set up the alarm state, notification topic and notification endpoint, then click Create Alarm.
  5. Next time when an authorization failure occurs for your AWS account, you will receive an SNS notification email like the following: "You are receiving this email because your Amazon CloudWatch Alarm “Authorization failure alarm” in the US – N. Virginia region has entered the ALARM state, because “Threshold Crossed: 1 datapoint (3.0) was greater than the threshold (1.0).” at Monday 27 March, 2016 19:15:38 UTC”.

Using AWS CLI

01 Run put-metric-filter command (OSX/Linux/UNIX) to create the CloudWatch metric filter and associate it with the specified log group:

aws logs put-metric-filter
	--log-group-name CloudTrail/MyCloudTrailLG
	--filter-name authorization-failure
	--filter-pattern"{ $.errorCode = "AccessDenied" || $.errorCode = "UnauthorizedOperation" }"
	--metric-transformations metricName=authorization-failure,metricNamespace=LogMetrics,metricValue=1

02 Run describe-metric-filters command (OSX/Linux/UNIX) to determine if the CloudWatch metric filter has been successfully created and associated with the selected log group:

aws logs describe-metric-filters
	--log-group-name CloudTrail/MyCloudTrailLG

03The command output should return the metric filter associated with the specified log

{
    "metricFilters": [
        {
            "filterName": "authorization-failure",
            "metricTransformations": [
                {
                    "metricValue": "1",
                    "metricNamespace": "LogMetrics",
                    "metricName": "authorization-failure"
                }
            ],
            "creationTime": 1460116046017,
            "filterPattern": "{
		       $.errorCode = AccessDenied ||
               $.errorCode = UnauthorizedOperation
            }"
        }
    ]
}

04 Run put-metric-alarm command (OSX/Linux/UNIX) to create the required CloudWatch alarm:

aws cloudwatch put-metric-alarm
	--alarm-name authorization-failure-alarm
	--alarm-description "Alarm when an authorization failure occurs"
	--metric-name authorization-failure
	--namespace LogMetrics
	--statistic SampleCount
	--period 60
	--threshold 1
	--comparison-operator GreaterThanOrEqualToThreshold
	--evaluation-periods 1
	--alarm-actions arn:aws:sns:us-east-1:123456789012:MySNSTopic
	--unit Count

References

Publication date Apr 8, 2016