CloudWatch CIS Alarms

CloudWatch alarms notify you of potential malicious actions in your cloud environments. Building an effective library of alarms can help improve your security posture by alerting you about potentially malicious activity, allowing you to investigate and triage an event early. The Center for Internet Security (CIS) provides useful and well-documented guidance for applying a range of alarms to improve security and alerting in your cloud environments.

Center for Internet Security (CIS)

CIS is a non-profit organization that promotes cybersecurity readiness. It provides a number of up-to-date best practices and recommendations for a range of technologies from operating systems to cloud platforms – one being AWS!

CIS provides a number of detailed recommendations that they call benchmarks. They provide a baseline and best practices for securely configuring a system. The CIS AWS Foundations Benchmark is a benchmark for AWS, which has been actively maintained since 2015. It's designed to provide “an objective, consensus-driven security guideline for the Amazon Web Services Cloud Providers”.

You can find all the CIS AWS Foundations Benchmarks here. You can also view the controls (security checks against specific resources) in AWS's user guides here.

CIS AWS Foundations Benchmark

CIS AWS Foundations Benchmark is split into four separate sections which each have a number of recommendations or controls:

1. Identity and access management: Guidance for IAM-related configurations

2. Logging: Advice for configuring logging features and how to harden logging processes

3. Monitoring: Recommendations for configuring log metric filters and CloudWatch alarms

4. Networking: Guidance for VPC and network-related configurations

This lab focuses on Monitoring (section three) and how to set up log metric filters and alarms. As of June 2022, this section has 14 individual segments, each being a separate alarm targeting a specific action, as shown in the examples below:

• 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA

• 3.3 – Ensure a log metric filter and alarm exist for usage of root user

• 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes

• 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes

Each segment contains detailed instructions on how to create and implement the various technical aspects of the benchmark guidance. This makes it extremely easy to implement, especially considering the improvement in security posture these alerts (and the rest of the benchmark) can provide.