Logo of Trend Micro

Authorization Failures Alarm

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: CWL-002

Ensure there is a CloudWatch alarm created in your account that is triggered each time an unauthorized API call is made in order to respond quickly to any unapproved actions detected.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using CloudWatch alarms to detect unauthorized AWS API requests can help you keep the AWS account secure. For example, when managing the permissions of a large number of IAM users mistakes can be made and certain users can receive unintended IAM API access. With CloudWatch alarms these unintended API calls can be automatically detected, enabling you to act fast and revoke their access.

Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch in your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You can specify a custom name for the alarm using the rule configuration settings available on Cloud Conformity dashboard. Otherwise, the default name used for this rule will be “Authorization Failures”.

Audit

To determine if you have any CloudWatch alarms that are currently monitoring unauthorized API calls within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel select Alarms.

04 Open the CloudWatch dashboard Show/Hide Columns dialog box by clicking the configuration icon:

Open the CloudWatch dashboard Show/Hide Columns dialog box by clicking the configuration icon

then select the Metric Name checkbox.

05 Under Metric Name column, check each available alarm for the “AuthorizationFailureCount” metric parameter name. If this metric is not used by any of your CloudWatch alarms, the unapproved AWS API calls are not currently monitored using the CloudWatch service.

06 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run describe-alarms-for-metric command (OSX/Linux/UNIX) to list all CloudWatch alarms that are associated with the "AuthorizationFailureCount" metric:

aws cloudwatch describe-alarms-for-metric
	--region us-east-1
	--metric-name AuthorizationFailureCount
	--namespace CloudTrailMetrics

02The command output should return the MetricAlarms array that contains the metadata of the requested CloudWatch alarm(s):

{
    "MetricAlarms": []
}

If the command output returns an empty array, i.e. [], there are no CloudWatch alarms available in the selected AWS region, set to monitor unauthorized API requests.

03 Perform step no. 1 and 2 to repeat the audit process for the other AWS regions.

Remediation / Resolution

Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscriptions to send notifications whenever the CloudWatch alarm is triggered.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SNS dashboard at https://console.aws.amazon.com/sns/v2/.

03 In the left navigation panel, select Topics and click the Create new topic button.

04 In the Create new topic dialog box, enter a name and a display name for the topic and click Create Topic.

05 Select the newly created SNS topic by clicking on its ARN name:

Select the newly created SNS topic by clicking on its ARN

06 Under Subscription section, click Create Subscription.

07 Select Email as subscription protocol from the Protocol dropdown list.

08 Enter the email address where to receive the alarm notifications and click Create Subscription.

09 Use your email client application and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create a new SNS topic for sending email notifications:

aws sns create-topic
	--name MySNSTopic

02 The command output should return the new SNS topic ARN (Amazon Resource Name):

{
    "TopicArn": "arn:aws:sns:us-east-1:123456789012:MySNSTopic"
}

03 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification-endpoint (in this case the endpoint is your email address):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012:MySNSTopic
	--protocol email
	--notification-endpoint admin@domain.com

04Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint selected (the command does not return an output):

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:MySNSTopic
	--token 3882092f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bc858d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da715711

Step 2: Create AWS CloudWatch metric filter and the necessary alarm that will send SNS notifications whenever an authorization failure occurs within your AWS account.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.

03 In the left navigation panel, select Logs.

04 Select the log group created for your CloudTrail trail event logs and click Create Metric Filter button.

05 On the Define Logs Metric Filter page, click inside the Filter Pattern box and type the following pattern: { ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }. This pattern will be used for scanning the CloudTrail event logs for strings like “AccessDenied” and “UnauthorizedOperation”.

06 Review the metric filter details and click Assign Metric.

07 On the Create Metric Filter and Assign a Metric page, in the Filter Name box, enter a name for the filter name, e.g. AWSAuthorizationFailures.

08 For the Metric Details section, provide the following information:

  1. In the Metric Namespace box, type CloudTrailMetrics.
  2. In the Metric Name box, type AuthorizationFailureCount for the metric identifier.
  3. Click Show advanced metric settings to show the advanced settings section.
  4. In the Metric Value box, enter 1. Each occurrence of the strings “AccessDenied” and “UnauthorizedOperation” will increase the value of the metric by 1.

09 Review the metric details and click Create Filter.

10 On the current page, click Create Alarm:

On the current page, click Create Alarm.

11 In the Create Alarm dialog box, define the following:

  1. In the Alarm Threshold section, enter a unique name (e.g. Authorization Failures) in the Name box and a short description for the alarm in the Description box.
  2. Under Whenever: <Metric Name>, select >= (greater than or equal to) from the is dropdown list and enter 3 as the threshold value for the sign-in failures in the box next to the dropdown list: select >= (greater than or equal to) from the is dropdown list and enter 3 as the threshold value for the sign-in failures in the box next to the dropdown list.
  3. In the Actions section, click the + Notification button, select State is ALARM from the Whenever this alarm dropdown menu and choose the AWS SNS topic name created at Step 1 from the Send notification to dropdown list.
  4. In the Alarm Preview section, select 5 Minutes from the Period dropdown list and Sum from the Statistic dropdown list: select 5 Minutes from the Period dropdown list and Sum from the Statistic dropdown list.
  5. Review the CloudWatch alarm configuration details then click Create Alarm. Once created, the alarm will be available on the CloudWatch Alarms page.

    6. Note: Next time when an authorization failure occurs within your AWS account, you will receive a notification email with the following message: "You are receiving this email because your Amazon CloudWatch Alarm “Authorization Failures” in the <AWS Region Name> region has entered the ALARM state, because “Threshold Crossed: 1 datapoint (3.0) was greater than the threshold (1.0).” at <Date and Time>”.

Using AWS CLI

01 Run put-metric-filter command (OSX/Linux/UNIX) to create the CloudWatch metric filter and associate it with the appropriate CloudTrail log group (the command does not return an output): 

aws logs put-metric-filter
	--region us-east-1
	--log-group-name CloudTrail/MyCloudTrailLG
	--filter-name AWSAuthorizationFailures
	--filter-pattern '{ $.errorCode = "*UnauthorizedOperation" || $.errorCode = "AccessDenied*" }'
	--metric-transformations metricName=AuthorizationFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1

02Run put-metric-alarm command (OSX/Linux/UNIX) to create the required CloudWatch alarm (if successful, the command does not return an output): 

aws cloudwatch put-metric-alarm
	--region us-east-1
	--alarm-name "Authorization Failures"
	--alarm-description "Alarm triggered when unauthorized API calls are made"
	--metric-name AuthorizationFailureCount
	--namespace CloudTrailMetrics
	--statistic Sum
	--comparison-operator GreaterThanOrEqualToThreshold
	--evaluation-periods 1
	--period 300
	--threshold 1
	--actions-enabled
	--alarm-actions arn:aws:sns:us-east-1:123456789012:MySNSTopic

References

Publication date Aug 18, 2016

Related CloudWatchLogs rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Authorization Failures Alarm

Risk level: Medium