AWS Cloudwatch Audit

AWS CloudWatch Events Should Be Used

CloudWatch Events should be used to help you respond to operational changes within your AWS resources.

AWS Config Changes Alarm

AWS Config configuration changes should be monitored using CloudWatch alarms.

AWS Console Sign In Without MFA Should Be Monitored

AWS Console Sign-In Requests Without MFA should be monitored using CloudWatch Events.

AWS Organizations Changes Alarm

Amazon Organizations changes should be monitored using AWS CloudWatch alarms.

Authorization Failures Alarm

Any unauthorized API calls made within your AWS account should be monitored using CloudWatch alarms.

CMK Disabled or Scheduled for Deletion Alarm

AWS CMK configuration changes should be monitored using CloudWatch alarms.

CloudTrail Changes Alarm

Aall AWS CloudTrail configuration changes should be monitored using CloudWatch alarms.

Console Sign-in Failures Alarm

Your AWS Console authentication process should be monitored using CloudWatch alarms.

EC2 Instance Changes Alarm

AWS EC2 instance changes should be monitored using CloudWatch alarms.

EC2 Large Instance Changes Alarm

AWS EC2 large instance changes should be monitored using CloudWatch alarms.

IAM Policy Changes Alarm

AWS IAM policy configuration changes should be monitored using CloudWatch alarms.

Internet Gateway Changes Alarm

AWS VPC Customer/Internet Gateway configuration changes should be monitored using CloudWatch alarms.

Network ACL Changes Alarm

AWS Network ACLs configuration changes should be monitored using CloudWatch alarms.

Root Account Usage Alarm

Root Account Usage should be monitored using CloudWatch alarms.

Route Table Changes Alarm

AWS Route Tables configuration changes should be monitored using CloudWatch alarms.

S3 Bucket Changes Alarm

AWS S3 Buckets configuration changes should be monitored using CloudWatch alarms.

Security Group Changes Alarm

AWS security groups configuration changes should be monitored using CloudWatch alarms.

VPC Changes Alarm

AWS VPCs configuration changes should be monitored using CloudWatch alarms.

Event Bus Should Not Be Exposed

Your AWS CloudWatch event bus should not be exposed to everyone.

EventBus Should Not Allow Cross Account Access

AWS CloudWatch event buses should not allow unknown cross-account access for delivery of events.

CloudWatch Alarm for VPC Flow Logs Metric Filter

A CloudWatch alarm should be created for the VPC Flow Logs metric filter and an alarm action should be configured.

Metric Filter for VPC Flow Logs CloudWatch Log Group

A log metric filter for the CloudWatch group assigned to the VPC Flow Logs should be created.

We suggest you use the checklist!

If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.