Amazon CloudWatch

CloudWatch Monitoring Metrics Not Enabled For Region

Ths plugin ensures metric filters are set up for CloudWatch logs to detect security risks from CloudTrail.

Risk Level: Medium

Description

Ths plugin ensures metric filters are set up for CloudWatch logs to detect security risks from CloudTrail. Without setting up metric filters, extracting useful information from the CloudTrail logs by CloudWatch will be a tedious task. It is recommended to have metric filters to ease out the process. 

About the Service

AmazonCloudWatch: Amazon CloudWatch is a monitoring service for developers and Dev Ops Engineers. CloudWatch gives you the actionable information and data you need to monitor your applications, and optimize resource utilization. The logs generated can then be utilized to derive important conclusions in case the system is compromised.

Impact

According to the AWS documentation, metric filters are used to extract metric observations from ingested events and transform them to data points in a CloudWatch metric. Metric Filters are important to derive critical conclusions from the events captured by the log stream.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon CloudWatch Management Console. You can use this link (https://console.aws.amazon.com/cloudwatch) to navigate directly if already logged in. 
  3. Move to the Log Groups in the Logs section from the left navigation pane.
  4. From the list of log groups, look for the Metric filters column. If it is empty, the vulnerability exists.
  5. Repeat steps for all the Log Groups you want to investigate.

Steps for Remediation

Enable metric filters to detect malicious activity in CloudTrail logs sent to CloudWatch.

  1. Log In to your AWS Console.
  2. Open the Amazon CloudWatch Management Console. You can use this link (https://console.aws.amazon.com/cloudwatch) to navigate directly if already logged in. 
  3. Move to the Log Groups in the Logs section from the left navigation pane.
  4. From the list of log groups, click on the vulnerable Log Group by clicking on its Name.
  5. Switch to the Metric Filters tab. 
  6. Click on the Create Metric Filter button. Now, follow the basic steps to create a Metric Filter. Click on Create when done.
  7. Repeat steps 4 to 6 for all the vulnerable Log Groups.