Amazon_CloudWatch_18
Using Amazon CloudWatch alarms to detect administrator-specific changes such as create organization, delete organization, create new accounts within an organization or remove a member account from an organization is considered best practice and can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.
1.Sign in to the AWS Management Console.
2.Navigate to Cloudwatch dashboard at https://console.aws.amazon.com/cloudwatch/.
3.In the left navigation panel, select Logs.
4.Select the log group created for your CloudTrail trail event logs and click Create Metric Filter button.
5.On the Define Logs Metric Filter page, paste the following pattern inside the Filter Pattern box: { ($.eventSource = organizations.amazonaws.com) && ($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CancelHandshake) || ($.eventName = CreateAccount) || ($.eventName = CreateOrganization) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = EnableAllFeatures) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdateOrganizationalUnit) || ($.eventName = UpdatePolicy) }. This pattern will be used for scanning the AWS CloudTrail logs for administrator-specific event names like “CreateOrganization”, “LeaveOrganization” or “InviteAccountToOrganization”.
6.Review the metric filter configuration details then click Assign Metric.
7.On the Create Metric Filter and Assign a Metric page, perform the following:
<span style=white-space:pre
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.
