Ensure there is a CloudWatch alarm created in your account that is triggered each time an unauthorized API call is made in order to respond quickly to any unapproved actions detected.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- NIST 800-53 (Rev. 4)
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using CloudWatch alarms to detect unauthorized AWS API requests can help you keep the AWS account secure. For example, when managing the permissions of a large number of IAM users mistakes can be made and certain users can receive unintended IAM API access. With CloudWatch alarms these unintended API calls can be automatically detected, enabling you to act fast and revoke their access.
Note 1: For this rule Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch in your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 2: You can specify a custom name for the alarm using the rule configuration settings available on Cloud Conformity dashboard. Otherwise, the default name used for this rule will be “Authorization Failures”.
To determine if you have any CloudWatch alarms that are currently monitoring unauthorized API calls within your AWS account, perform the following:
Remediation / Resolution
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscriptions to send notifications whenever the CloudWatch alarm is triggered.
Step 2: Create AWS CloudWatch metric filter and the necessary alarm that will send SNS notifications whenever an authorization failure occurs within your AWS account.
- AWS Documentation
- Amazon CloudWatch Concepts
- Creating CloudWatch Alarms for CloudTrail Events: Examples
- Sending CloudTrail Events to CloudWatch Logs
- Create a Topic
- Subscribe to a Topic
- Creating Amazon CloudWatch Alarms
- Create or Edit an Alarm
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Authorization Failures Alarm
Risk level: Medium