Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS CloudWatch Events In Use

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CWE-001

Ensure that Amazon CloudWatch Events service is in use in order to enable you to react selectively and efficiently to system events that describe changes within your AWS resources. Specifically, with CloudWatch Events service you can create rules that match event patterns and take actions in response to those patterns. AWS CloudWatch Events make use of 3 main components: events, rules and targets. An event indicates a change in your AWS environment, a target processes events and a rule matches any incoming events and routes them to targets for processing. Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) works in the same way, i.e. the changes made within your AWS account are streamed into Cloud Conformity system then run them against the rules engine to take actions such as detecting anomalies, sending alert notifications, etc.
Example of Amazon CloudWatch Events use cases:
Send alert notifications when someone uses root credentials to sign-in to your AWS account.
Take a snapshot of an AWS EBS volume on a schedule.
Notify when there is an Amazon Web Services health notification posted to your account health dashboard.
Invoke an AWS Lambda function to pass a notification to a Slack channel when a specific event occurs within your AWS account.
Direct a particular API record from AWS CloudTrail to a Kinesis stream for detailed analysis of potential security risks.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Reliability
Performance
efficiency
Operational
excellence
Cost
optimisation

AWS CloudWatch Events will help you address security, reliability, performance efficiency and cost optimisation within your AWS account in the most efficient way. Security - CloudWatch Events service is integrated with the following AWS services to enforce security within your environment: AWS VPC for infrastructure protection, AWS CloudFormation and Identity and Access Management (IAM) for incident response, AWS EBS, EFS and S3 for data protection in the cloud, AWS Cloudtrail for tracking API Calls, AWS Config for inventory of AWS resources and AWS IAM for identity and access management within your account. Reliability and Fault Management - monitor AWS resources using CloudWatch Logs and create notifications in response to operational changes, ensuring that corrective actions are taken in response to those changes, send AWS Health notifications to ensure environment reliability, implement failover schemes based on triggered events, etc. Performance Efficiency - test for how fast your resources respond to different workloads and adapt accordingly using various automations, integrate with CloudWatch Logs to monitor if the allocated resources are performing optimally and take necessary actions in case any lapses are noticed, integrate with Amazon ElastiCache and Cloudfront to assist in implementing different caching strategies. Cost Optimisation - use CloudWatch Events rules to ensure that you don't exceed your capacity as you plan appropriately and test before deploying the necessary AWS resources.

Audit

To determine if Amazon CloudWatch Events service is in use (i.e. there are any active rules currently available) within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, under Events section, select Rules.

04 On the Rules page, select Active from the Status dropdown menu to list all the active CloudWatch Events rules created within the selected AWS region. If no rules are returned, i.e.

If no rules are returned

there are no event rules currently available, therefore Amazon CloudWatch Events service is not currently in use within the selected AWS region.

Using AWS CLI

01 Run list-rules command (OSX/Linux/UNIX) to list the names of all AWS CloudWatch Events rules available in the selected AWS region: 

aws events list-rules
	--region us-east-1
	--query 'Rules[*].Name'

02 The command output should return an array with the requested rule names: 

[]

If the list-rules command output returns an empty array, i.e. [] (as shown in the example above), there are no event rules created within the region, therefore Amazon CloudWatch Events service is not utilized in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the entire audit process for other regions.

Remediation/Resolution:

In order to start utilizing AWS CloudWatch Events service within your AWS account you must create and configure CloudWatch Events rules. To create your own event rules, perform the following:

Note: As example, this conformity rule demonstrates how to use Amazon CloudWatch Events service to run an AWS Lambda function on a schedule.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudWatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, under Events section, select Rules.

04 Click Create rule button to start the process.

05 On Step 1: Create rule page, perform the following actions:

  1. Within the Event Source section, select Schedule, choose Fixed rate of and specify the schedule interval (for example, 5 minutes) that will be used to invoke your AWS Lambda function.
  2. In the Targets section, click Add target button, select Lambda function as target type from the main dropdown list then select your Lambda function from the Function dropdown list.

06 Click Configure details to continue the setup process.

07 On Step 2: Configure rule details page, enter a unique name for the event rule within the Name box then provide a short description for the rule (optional) within the Description box.

08 Make sure the State checkbox is enabled to activate the rule after creating it, then click Create rule button to create your new AWS CloudWatch Events rule.

09 Repeat steps no. 4 - 8 to create additional Amazon CloudWatch Events rules within the selected region.

10 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run put-rule command (OSX/Linux/UNIX) to create a CloudWatch Events rule that triggers itself on a schedule. The following command example creates an event rule named "cc-scheduled-event-rule" that runs every 5 minutes: 

aws events put-rule
	--region us-east-1
	--name cc-scheduled-event-rule
	--schedule-expression 'rate(5 minutes)'

02 The command output should return the Amazon Resource Name (ARN) of the newly created event rule: 

{
  "RuleArn": "arn:aws:events:us-east-1:123456789012:rule/cc-scheduled-event-rule"
}

03 Run add-permission command (OSX/Linux/UNIX) to add a permission to the resource policy associated with the selected Lambda function to trust the AWS CloudWatch Events service principal (i.e. events.amazonaws.com) and the scope permissions to the rule created at the previous step: 

aws lambda add-permission
	--region us-east-1
	--function-name LogScheduledEvent
	--statement-id cc-scheduled-event
	--action 'lambda:InvokeFunction'
	--principal events.amazonaws.com
	--source-arn arn:aws:events:us-east-1:123456789012:rule/cc-scheduled-event-rule

04 The command output should return the resource-based policy document for the specified AWS Lambda function:

{
  "Statement": "{\"Sid\":\"cc-scheduled-event\",\"Resource\":\"arn:aws:lambda:us-east-1:123456789012:function:LogScheduledEvent\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":[\"lambda:InvokeFunction\"],\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:events:us-east-1:123456789012:rule/cc-scheduled-event-rule\"}}}"
}

05 Finally, run put-targets command (OSX/Linux/UNIX) to attach your AWS Lambda function to the newly created Amazon CloudWatch Events rule. The following command example attach a Lambda function identified by the ARN "arn:aws:lambda:us-east-1:123456789012:function:LogScheduledEvent", using "5" as target identifier (ID) to a CloudWatch Events rule named "cc-scheduled-event-rule" (the command does not produce an output):

aws events put-targets
	--region us-east-1
	--rule cc-scheduled-event-rule
	--targets "Id"="5","Arn"="arn:aws:lambda:us-east-1:123456789012:function:LogScheduledEvent"

06 Repeat steps no. 1 - 5 to create new Amazon CloudWatch Events rules within the selected region.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the entire process for other regions.

References

Publication date Jul 10, 2017

Related CloudWatchEvents rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

AWS CloudWatch Events In Use

Risk Level: Medium