🕳️
The Cyber Security Library
  • The Library
  • Offensive Security
    • Solar, Exploiting log4j
      • Reconnaissance
      • Discovery
      • Proof of Concept
      • Exploitation
    • Basic Authentication Bypass
      • Username Enumeration
      • Brute Force
      • Logic Flaw
      • Cookie Tampering
    • Insekube
      • Recon with Nmap
      • Checking out the web address
      • Creating a Reverse shell
      • Inside the Kubernetes pod
      • CVE-2021-43798
    • Snort
      • What is Snort? (For the uninitiated)
      • Task exercise
      • Traffic Generator
      • Brief overview of IDS and IPS
      • Checking Snort
      • Snort Sniffer mode
      • Packet Logger mode
    • Runtime Detection Evasion
      • Learning Objectives of AMSI
      • Runtime detections
      • AMSI Overview
      • AMSI Instrumentation
      • Powershell Downgrade
      • Powershell Reflection
      • Patching AMSI
    • Red team recon using OSINT
      • Taxonomy of Reconnaissance
      • Built-in tools
      • Advanced Searching
      • Specialized Search Engines
  • Malware
    • Introduction to Malware Analysis
      • What are the different types of malware analysis
      • Doing different types of analysis
      • Anti analysis techniques
    • Ransomeware: Maze
    • Exploring Steganography
    • Simple Trojan with Python
      • The Python Trojan
      • Breaking down the python code
  • Vulnerability Management
    • Nessus
      • Introduction
      • Nessus Essentials
      • Scans
      • Authenticated Scans
      • Results
      • Running custom scans
  • Cloud
    • AWS
      • AWS CDK: Deploy and using amazon SQS Que from Repo
        • Node modules and Bootstrapping troubleshooting
        • Sending and Receiving information from the stack
        • Destroying the stack and cleaning up
      • Using Different AWS Services with Splunk
        • AWS Config
          • How Does Config work?
          • How to enable Config
          • Settings
          • Aggregation
          • Creating Config Resource
          • Creating Aggregator
          • Adding Rules
        • CloudTrail
          • What is CloudTrail?
          • Features of CloudTrail
          • Benefits of CloudTrail
          • CloudTrail Event History
          • Securing CloudTrail
        • EventBridge
          • Configuring EventBridge and Event Patterns
          • EventBridge Targets
        • CloudWatch
          • The CloudWatch Dashboard
            • Virtual Machine
          • CloudWatch Alarms and Metric Filters
            • Searching logs using metric filters
            • CloudWatch Alarms
          • CloudWatch CIS Alarms
            • SNS
        • Configuring VPC Flow Logs
          • An introduction to VPC flow logs
        • Automating Incident Response with EventBridge
          • Creating Lambda functions
        • CloudTrail SIEM Integration (Splunk)
          • AWS architecture for integrating with Splunk
      • AWS DevOps EBS Volumes
        • CloudWatch
        • EBS Volume
        • Lambda
      • EKS Creating a deployment with AWS in the command Line
        • Setting up AWS Cloud9
        • Creating a Cluster
        • Creating Deployment
      • How to CloudShell SSH in to ec2 Instances
    • Azure
      • Worker CTF (Azure DevOps)
        • Enumeration
        • Using SVN
        • Exploring the Domain
        • Cracking Azure DevOps console
      • Software development environments and Azure DevOps pipeline abuse
        • Accessing Azure Devops
        • Exploring Project Pages
  • Splunk
    • Splunk SIEM Integration
      • AWS architecture for integrating with Splunk
    • Splunk Threat Hunting Ep.6 Credential Access
  • DevOps
    • Using AWS, Docker, Jenkins and SonarQube to improve code quality
      • Updating the Cloud Instance and Getting Docker
      • Installing SonarQube
      • Creating Jenkins Server
      • Manaing SonarQube and Jenkins
    • Creating a Codebuild project and getting the output with CloudWatch Logs
      • IAM
      • CodeBuild
  • CTF's
    • THM Wonderland
      • Nmap and Gobuster
      • Entering Wonderland
      • Privilege Escalation
    • Healthcare OpenEMR system -THM Plotted EMR
      • Recon with Nmap
      • Exploring the ports found
      • Gobuster
      • Searchsploit Open emr
    • Steam Cloud CTF Exploiting Kubernetes
      • SteamCloud Privilege Escalation
    • THM Flatline CTF
      • Recon with Nmap
      • Searchsploit for freeswitch
      • Using the exploit
      • Escalating my privileges
      • Gaining access inside the Windows RDP
    • Biteme CTF
      • Recon
      • Looking into the PHP code and decoding hexadecimal
      • Python script and Bash script
      • Bruteforcing MFA Code
      • Trying to gain access via SSH
      • Inside SSH
      • Fail2ban Privilege Escalation
    • Devoops CTF
      • Enumeration
      • Exploiting Web Page
      • Creating Python exploit
    • GoBox CTF
      • Enumeration
      • Using Burpsuite and creating Reverse shell
    • Explore: Android Box
      • Enumeration
      • Initial foothold
      • Privilege escalation
Powered by GitBook
On this page
  • Center for Internet Security (CIS)
  • CIS AWS Foundations Benchmark
  1. Cloud
  2. AWS
  3. Using Different AWS Services with Splunk
  4. CloudWatch

CloudWatch CIS Alarms

PreviousCloudWatch AlarmsNextSNS

Last updated 1 year ago

CloudWatch alarms notify you of potential malicious actions in your cloud environments. Building an effective library of alarms can help improve your security posture by alerting you about potentially malicious activity, allowing you to investigate and triage an event early. The Center for Internet Security (CIS) provides useful and well-documented guidance for applying a range of alarms to improve security and alerting in your cloud environments.

Center for Internet Security (CIS)

CIS is a non-profit organization that promotes cybersecurity readiness. It provides a number of up-to-date best practices and recommendations for a range of technologies from operating systems to cloud platforms – one being AWS!

CIS AWS Foundations Benchmark

CIS AWS Foundations Benchmark is split into four separate sections which each have a number of recommendations or controls:

  1. Identity and access management: Guidance for IAM-related configurations

  2. Logging: Advice for configuring logging features and how to harden logging processes

  3. Monitoring: Recommendations for configuring log metric filters and CloudWatch alarms

  4. Networking: Guidance for VPC and network-related configurations

This lab focuses on Monitoring (section three) and how to set up log metric filters and alarms. As of June 2022, this section has 14 individual segments, each being a separate alarm targeting a specific action, as shown in the examples below:

  • 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA

  • 3.3 – Ensure a log metric filter and alarm exist for usage of root user

  • 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes

  • 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes

Each segment contains detailed instructions on how to create and implement the various technical aspects of the benchmark guidance. This makes it extremely easy to implement, especially considering the improvement in security posture these alerts (and the rest of the benchmark) can provide.

CIS provides a number of detailed recommendations that they call benchmarks. They provide a baseline and best practices for securely configuring a system. The CIS AWS Foundations Benchmark is a benchmark for AWS, which has been actively maintained since 2015. It's designed to provide .

You can find all the CIS AWS Foundations Benchmarks . You can also view the controls (security checks against specific resources) in AWS's user guides .

“an objective, consensus-driven security guideline for the Amazon Web Services Cloud Providers”
here
here