Strengthening AWS Security with Real-Time Monitoring

Don’t Ignore the Red Flags: Strengthening AWS Security with Real-Time Monitoring

Monitoring AWS Services: IAM, Config, SNS, and More with CloudWatch, CloudTrail, and EventBridge

Monitoring and securing your AWS environment is critical to maintaining a robust cloud infrastructure. AWS offers a suite of services, including CloudWatch, CloudTrail, and EventBridge, that can help you track activities, detect anomalies, and respond to events in real-time. In this blog, we'll dive into how to monitor changes in key AWS services, such as IAM, AWS Config, SNS, and more. This includes creating metric filters, setting up alarms, and leveraging EventBridge for proactive monitoring.

1. Monitoring AWS IAM Changes with CloudWatch

AWS Identity and Access Management (IAM) is the backbone of your cloud security. Ensuring that critical changes to IAM roles, policies, and keys are monitored can prevent unauthorized access and privilege escalation.

Setting Up IAM Monitoring

1. Enable CloudTrail Logging for IAM Events
   Ensure that CloudTrail is logging all management events related to IAM. This will capture actions like creating, deleting, and modifying users, roles, policies, and access keys.
   Configure CloudTrail to send logs to CloudWatch Logs for real-time monitoring.

2. Create Metric Filters for IAM Events
   Metric filters allow you to track specific API calls related to IAM changes. Here are some critical filter patterns:

   • Root User Activity:

     
     { ($.userIdentity.type = "Root") && ($.eventName != "ConsoleLogin") }
     

   • Unauthorized IAM Access Attempts (AccessDenied):

     
     { ($.errorCode = "AccessDenied") }
     

   • Login Failures (ConsoleLogin Failure):

     
     { ($.eventName = "ConsoleLogin") && ($.responseElements.ConsoleLogin = "Failure") }
     

   • Deactivating or Deleting MFA for Root/User Accounts:

     
     { ($.eventName = "DeactivateMFADevice") || ($.eventName = "DeleteVirtualMFADevice") }
     

   • Policy Changes for Admin Role/User:

     
     { ($.eventName = "AttachUserPolicy" || $.eventName = "PutRolePolicy") && ($.requestParameters.policyArn = "*AdministratorAccess*") }
     

3. Create CloudWatch Alarms
   Use these metric filters to create alarms in CloudWatch. These alarms can be configured to trigger SNS notifications or invoke Lambda functions in response to critical IAM changes.

2. Monitoring AWS Config Events

AWS Config monitors the configuration changes to your resources and ensures they comply with desired configurations. You can set up CloudWatch filters for critical AWS Config events.

AWS Config Metric Filters

• Config Rule Non-Compliance:

  
  { ($.eventSource = "config.amazonaws.com") && ($.eventName = "ComplianceChangeNotification") && ($.responseElements.newEvaluationResult.complianceType = "NON_COMPLIANT") }
  

• AWS Config Service Disabled:

  
  { ($.eventSource = "config.amazonaws.com") && ($.eventName = "StopConfigurationRecorder") }
  

These filters help ensure that your resources remain compliant with your security policies and flag non-compliant configurations.

3. Monitoring SNS Topic Deletion

Monitoring the deletion of Amazon SNS topics can be critical in maintaining event-driven architectures and alerting systems. For example, Deleting an SNS topic like monitoring-audit could disrupt notifications and alerts, making it important to track such events.

SNS Topic Deletion Metric Filter

To track when an SNS topic is deleted, you can create a metric filter in CloudWatch using the following pattern:

{ ($.eventName = "DeleteTopic") && ($.requestParameters.topicArn = "arn:aws:sns:region:account-id:*-clouddTrail-audit") }

By applying this filter, you can trigger CloudWatch alarms and use SNS to notify your operations team when an important topic is deleted.

---

4. EventBridge for Real-Time Event Monitoring

While CloudTrail and CloudWatch handle logs and metrics, Amazon EventBridge allows you to monitor events across AWS services in real-time and respond to them automatically.

Using EventBridge for Critical Security Monitoring

You can create EventBridge rules that capture specific events and trigger automatic actions like invoking a Lambda function or sending an alert via SNS.

Here’s an example of how to use EventBridge to detect critical IAM changes:

• EventBridge Rule for Detecting Root Account Usage:

  
  {
    "source": ["aws.iam"],
    "detail-type": ["AWS API Call via CloudTrail"],
    "detail": {
      "eventName": ["ConsoleLogin"],
      "userIdentity": {
        "type": ["Root"]
      }
    }
  }
  

In this case, if the root account logs into the console, the EventBridge rule can trigger an alert or a Lambda function that sends a notification to the security team.

Proactive Monitoring with EventBridge

You can also monitor other critical security events across various services:

• EventBridge Rule for EC2 Security Group Changes: Monitor when an EC2 security group is modified to allow open access to the public:

  
  {
    "source": ["aws.ec2"],
    "detail-type": ["AWS API Call via CloudTrail"],
    "detail": {
      "eventName": ["AuthorizeSecurityGroupIngress"],
      "requestParameters": {
        "ipPermissions": {
          "items": {
            "ipRanges": {
              "items": {
                "cidrIp": ["0.0.0.0/0"]
              }
            }
          }
        }
      }
    }
  }
  

This rule can automatically respond by reverting the security group change or sending an alert.

---

5. Monitoring Other AWS Services for Critical Changes

AWS provides a variety of services that could benefit from real-time monitoring. Here are more key filter patterns to track changes that could impact your security posture:

S3 Bucket Policy Changes:

{ ($.eventName = "PutBucketPolicy" || $.eventName = "DeleteBucketPolicy" || $.eventName = "PutBucketAcl" || $.eventName = "DeleteBucketAcl") }

EC2 Security Group Ingress Open to Public

{ ($.eventName = "AuthorizeSecurityGroupIngress") && ($.requestParameters.ipPermissions.items[*].ipRanges.items[*].cidrIp = "0.0.0.0/0") }

Lambda Function Code Changes:

{ ($.eventName = "UpdateFunctionCode") }

---

Conclusion

Monitoring and alerting are fundamental components of maintaining a secure and well-functioning AWS environment. By using CloudTrail, CloudWatch, EventBridge, and SNS together, you can create a comprehensive monitoring system that tracks and responds to critical security events in real-time. Whether it’s IAM, AWS Config, SNS, or other AWS services, proactive monitoring ensures that your infrastructure remains resilient, compliant, and secure.

Implement these best practices and metric filters to safeguard your AWS resources and prevent unauthorized access, misconfigurations, and potential security breaches.