Authorization Failures Alarm

More Info:

Any unauthorized API calls made within your AWS account should be monitored using CloudWatch alarms to respond quickly to unapproved actions.

Risk Level

Medium

Address

Security

Compliance Standards

CISAWSF, PCI, APRA, MAS, NIST4, SOC2, HIPAA, ISO27001, AWSWAF, HITRUST

Triage and Remediation

Remediation

Using Console

Using CLI

The Authorization Failures alarm in AWS can also be created and managed using the AWS CLI. Follow these steps:

Create the required CloudWatch metric filter and associate it with your Amazon CloudTrail trail. The pattern used will scan for AccessDenied and UnauthorizedOperation events.

Run this command to create the metric filter:

aws logs put-metric-filter \
   --region us-east-1 \
   --log-group-name cc-project5-log-group \
   --filter-name AWSCloudAuthorizationFailure \
   --filter-pattern '{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}' \
   --metric-transformations metricName=AuthorizationFailure,metricNamespace=CloudTrailMetrics,metricValue=1

Create the CloudWatch alarm to monitor the authorization failures:

aws cloudwatch put-metric-alarm \
  --region us-east-1 \
  --alarm-name "AWSAuthorizationFailureAlarm" \
  --alarm-description "Triggered when unauthorized AWS API calls are made" \
  --metric-name AuthorizationFailure \
  --namespace CloudTrailMetrics \
  --statistic Sum \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --period 300 \
  --threshold 1 \
  --actions-enabled \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic

Using Python

The “Authorization Failures” alarm in AWS CloudWatch is triggered when there are failed attempts to access AWS resources due to insufficient permissions. To remediate this issue using Python, follow these steps:

First, set up the required metric filter and alarm in CloudWatch using the Boto3 library:

import boto3

# Initialize clients for CloudWatch Logs and CloudWatch
logs_client = boto3.client('logs')
cw_client = boto3.client('cloudwatch')

# Create metric filter
logs_client.put_metric_filter(
    logGroupName='cc-project5-log-group',
    filterName='AWSCloudAuthorizationFailure',
    filterPattern='{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}',
    metricTransformations=[
        {
            'metricName': 'AuthorizationFailure',
            'metricNamespace': 'CloudTrailMetrics',
            'metricValue': '1'
        }
    ]
)

# Create CloudWatch alarm
cw_client.put_metric_alarm(
    AlarmName='AWSAuthorizationFailureAlarm',
    AlarmDescription='Triggered when unauthorized AWS API calls are made',
    MetricName='AuthorizationFailure',
    Namespace='CloudTrailMetrics',
    Statistic='Sum',
    Period=300,
    EvaluationPeriods=1,
    Threshold=1,
    ComparisonOperator='GreaterThanOrEqualToThreshold',
    AlarmActions=['arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic']
)

This Python script will automatically set up the metric filter and alarm to monitor any authorization failures across your AWS account.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Authorization Failures Alarm

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: