IAM Policy Changes Alarm

More Info:

AWS IAM policy configuration changes should be monitored using CloudWatch alarms.

Risk Level

High

Address

Security

Compliance Standards

SOC2, HIPAA, ISO27001, AWSWAF, HITRUST, CISAWS, CBP, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

Create Metric Filter:

aws logs put-metric-filter \
  --log-group-name "YOUR_LOG_GROUP_NAME" \
  --filter-name "IAMPolicyChangesFilter" \
  --filter-pattern '{ $.eventSource = "iam.amazonaws.com" && $.eventName = "AttachRolePolicy" }' \
  --metric-transformations "metricName=IAMPolicyChangesEventCount,metricNamespace=CloudTrailMetrics,metricValue=1"

Replace "YOUR_LOG_GROUP_NAME" with the name of your CloudTrail log group.

Create CloudWatch Alarm (optional): Use the put-metric-alarm command to create an alarm based on the metric you created.

Using Python

import boto3

cloudwatch_logs = boto3.client('logs')
cloudwatch = boto3.client('cloudwatch')

# Create Metric Filter
response = cloudwatch_logs.put_metric_filter(
    logGroupName='YOUR_LOG_GROUP_NAME',
    filterName='IAMPolicyChangesFilter',
    filterPattern='{ $.eventSource = "iam.amazonaws.com" && $.eventName = "AttachRolePolicy" }',
    metricTransformations=[
        {
            'metricName': 'IAMPolicyChangesEventCount',
            'metricNamespace': 'CloudTrailMetrics',
            'metricValue': 1
        }
    ]
)

# Create CloudWatch Alarm (optional)
# You can use cloudwatch.put_metric_alarm() to create an alarm based on the metric

Replace "YOUR_LOG_GROUP_NAME" with the name of your CloudTrail log group.These steps should help you set up the IAMPolicyChangesEventCount metric in CloudWatch using the AWS Console, AWS CLI, or Python script. Remember to adjust the configuration according to your specific use case and environment.

Additional Reading:

https://aws.amazon.com/blogs/security/how-to-receive-alerts-when-your-iam-configuration-changes/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

IAM Policy Changes Alarm

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: