How could we act on several events happening in our servers, infrastructure of even account activity? CloudWatch Logs solves part of the problem, now we need to have an notification system that lets us know when some events of interest occur.
- Make sure CloudTrail is active and configured, select your trail and navigate to the CloudWatch Logs section.
- Now proceed to configure the streaming of events to CloudWatch Logs. You will be required to provide a name for this log group.
- Click on Continue, the last step is to verify the role that will be created for us. You can specify custom roles for this operation.
- Click on Allow and you are done. The next step is to create a Metric Filter in the CloudWatch Log group created; in our case CloudTrail/DefaultLogGroup.
This filter has the ability to search for specific events and aggregate information about them. In our example we want to get notified when someone has three failed events when trying to access the account using wrong IAM credentials in a timespan of 5 minutes.
- The Create Metric Filter can be configured to use a filter pattern that represents an expression that is applied to every single event.
- Use the Filter Name as ConsoleSignInFailures and paste the following pattern:
{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }
- We need to specify a Metric Namespace and a Metric Name as shown in the following screenshot:
- Click on Create Filter, the next step is to add an alarm when the expression matches 3 events in a period of 5 minutes.
- To test out this behavior, try to login to the console using the same user with wrong passwords three times. The CloudWatch alarm must be in the ALARM state and an email notification must be received immediately.
- To implement comprehensive alarms like this AWS has provided a CloudFormation template with several alarms using this model. You can deploy the following template in your accounts to keep accountable and secure.
https://s3-us-west-2.amazonaws.com/awscloudtrail/cloudwatch-alarms-for-cloudtrail-api-activity/CloudWatch_Alarms_for_CloudTrail_API_Activity.json