> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authorization Failures Alarm

### More Info:

Any unauthorized API calls made within your AWS account should be monitored using CloudWatch alarms to respond quickly to unapproved actions.

### Risk Level

Medium

### Address

Security

### Compliance Standards

CISAWSF, PCI, APRA, MAS, NIST4, SOC2, HIPAA, ISO27001, AWSWAF, HITRUST

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        The "Authorization Failures" alarm in AWS CloudWatch should be configured to trigger whenever unauthorized API calls are made. To set this up using the AWS Console:

        1. Sign in to the AWS Management Console.

        2. Navigate to [Amazon CloudWatch console](https://console.aws.amazon.com/cloudwatch/).

        3. In the left-hand menu, under **Logs**, choose **Log groups**.

        4. Click on the name (link) of the log group associated with your Amazon CloudTrail trail.

        5. Select the **Metric filters** tab and choose **Create metric filter**.

        6. On the **Create metric filter** setup page, perform the following actions:

           * For **Step 1: Define pattern**, paste the following pattern in the Filter Pattern box:\
             `{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}`\
             This will scan your Amazon CloudTrail logs for "AccessDenied" and "UnauthorizedOperation" events. Choose **Next**.

           * For **Step 2: Assign metric**, provide the following information:
             * In the **Filter name** box, enter a unique name for the new filter.
             * In the **Metric namespace** box, type `CloudTrailMetrics`.
             * In the **Metric name** box, type `AuthorizationFailure`.
             * In the **Metric value** box, type `1`.
             * (Optional) Choose **Count** from the Unit – optional dropdown list.
             * Choose **Next** to continue.

        7. On the **Metric filters** panel, select the newly created metric filter and choose **Create alarm**.

        8. On the **Create alarm** setup page, perform the following actions:

           * For **Step 1: Specify metric and conditions**:

             * In the **Metric section**, select **Sum** from the Statistic list, and choose **5 minutes** from the Period dropdown list.
             * In the **Conditions section**, select **Static** as Threshold type.
             * For **Whenever AuthorizationFailure is**, select **Greater/Equal (greater than or equal to)**, and enter `1` in the configuration box to trigger the CloudWatch alarm.
             * Choose **Next**.

           * For **Step 2: Configure actions**, define the alarm state that will trigger the CloudWatch alarm action:

             * Select **In alarm** under Alarm state trigger.
             * Choose **Select an existing SNS topic** and select the name of the SNS topic created at Step 1.
             * Choose **Next**.

           * For **Step 3: Add name and description**, provide a unique name and a short description for your new CloudWatch alarm. Choose **Next**.

           * For **Step 4: Preview and create**, review the alarm configuration details, then choose **Create alarm**.\
             Once the alarm is created, its **State** (status) will change from **Insufficient data** to **OK**.

        #
      </Accordion>

      <Accordion title="Using CLI">
        The Authorization Failures alarm in AWS can also be created and managed using the AWS CLI. Follow these steps:

        1. Create the required CloudWatch metric filter and associate it with your Amazon CloudTrail trail. The pattern used will scan for `AccessDenied` and `UnauthorizedOperation` events.

        Run this command to create the metric filter:

        ```bash theme={null}
        aws logs put-metric-filter \
           --region us-east-1 \
           --log-group-name cc-project5-log-group \
           --filter-name AWSCloudAuthorizationFailure \
           --filter-pattern '{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}' \
           --metric-transformations metricName=AuthorizationFailure,metricNamespace=CloudTrailMetrics,metricValue=1
        ```

        2. Create the CloudWatch alarm to monitor the authorization failures:

        ```bash theme={null}
        aws cloudwatch put-metric-alarm \
          --region us-east-1 \
          --alarm-name "AWSAuthorizationFailureAlarm" \
          --alarm-description "Triggered when unauthorized AWS API calls are made" \
          --metric-name AuthorizationFailure \
          --namespace CloudTrailMetrics \
          --statistic Sum \
          --comparison-operator GreaterThanOrEqualToThreshold \
          --evaluation-periods 1 \
          --period 300 \
          --threshold 1 \
          --actions-enabled \
          --alarm-actions arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic
        ```
      </Accordion>

      <Accordion title="Using Python">
        The "Authorization Failures" alarm in AWS CloudWatch is triggered when there are failed attempts to access AWS resources due to insufficient permissions. To remediate this issue using Python, follow these steps:

        1. First, set up the required metric filter and alarm in CloudWatch using the Boto3 library:

        ```python theme={null}
        import boto3

        # Initialize clients for CloudWatch Logs and CloudWatch
        logs_client = boto3.client('logs')
        cw_client = boto3.client('cloudwatch')

        # Create metric filter
        logs_client.put_metric_filter(
            logGroupName='cc-project5-log-group',
            filterName='AWSCloudAuthorizationFailure',
            filterPattern='{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}',
            metricTransformations=[
                {
                    'metricName': 'AuthorizationFailure',
                    'metricNamespace': 'CloudTrailMetrics',
                    'metricValue': '1'
                }
            ]
        )

        # Create CloudWatch alarm
        cw_client.put_metric_alarm(
            AlarmName='AWSAuthorizationFailureAlarm',
            AlarmDescription='Triggered when unauthorized AWS API calls are made',
            MetricName='AuthorizationFailure',
            Namespace='CloudTrailMetrics',
            Statistic='Sum',
            Period=300,
            EvaluationPeriods=1,
            Threshold=1,
            ComparisonOperator='GreaterThanOrEqualToThreshold',
            AlarmActions=['arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic']
        )
        ```

        2. This Python script will automatically set up the metric filter and alarm to monitor any authorization failures across your AWS account.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/use-cloudformation-template-to-create-cloudwatch-alarms.html](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/use-cloudformation-template-to-create-cloudwatch-alarms.html)
* [https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudWatchLogs/authorization-failures-alarm.html](https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudWatchLogs/authorization-failures-alarm.html)
