Menu
AWS CloudTrail
User Guide (Version 1.0)

Creating CloudWatch Alarms for CloudTrail Events: Additional Examples

AWS Identity and Access Management (IAM) best practices recommend that you do not use your root account credentials to access AWS. Instead, you should create individual IAM users so that you can give each user a unique set of security credentials. The IAM Best Practices also recommend that you enable multi-factor authentication (MFA) for IAM users who are allowed access to sensitive resources or APIs.

You can monitor whether activity in your AWS account adheres to these best practices by creating the CloudWatch alarms that notify you when root account credentials have been used to access AWS, or when API activity or console sign-ins without MFA have occurred. These alarms are described in this document.

Configuring an alarm involves two main steps:

  • Create a metric filter

  • Create an alarm based on the filter

Example: Monitor for Root Usage

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when root (account) credentials are used.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Choose Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter RootAccountUsage

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter RootAccountUsageCount.

  9. Choose Metric Value, and then type 1.

    Note

    If Metric Value does not appear, choose Show advanced metric settings first.

  10. When you are finished, choose Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
								CloudWatch Logs Create Alarm Wizard

    Setting Value

    Root Account Usage

    >=1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, choose Create Alarm.

Example: Monitor for API Activity Without Multi-factor Authentication (MFA)

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when API calls are made without the use of multi-factor authentication (MFA).

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { $.userIdentity.sessionContext.attributes.mfaAuthenticated != "true" }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Choose Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter ApiActivityWithoutMFA.

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name box, enter ApiActivityWithoutMFACount.

  9. Choose Metric Value, and then type 1.

    Note

    If Metric Value does not appear, choose Show advanced metric settings first.

  10. When you are finished, choose Create Filter.

Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
								CloudWatch Logs Create Alarm Wizard

    Setting Value

    Api Activity Without MFA

    >=1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, choose Create Alarm.

Example: Monitor for Console Sign In Without Multi-factor Authentication (MFA)

This scenario walks you through how to use the AWS Management Console to create an Amazon CloudWatch alarm that is triggered when a console sign in is made without multi-factor authentication.

Create a Metric Filter

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.

  4. Choose Create Metric Filter.

  5. On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:

    Copy
    { $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed = "No" }

    Note

    For more information about syntax for metric filters and patterns for CloudTrail log events, see the JSON-related sections of Filter and Pattern Syntax in the Amazon CloudWatch User Guide.

  6. Choose Assign Metric, and then on the Create Metric Filter and Assign a Metric screen, in the Filter Name box, enter ConsoleSignInWithoutMfa

  7. Under Metric Details, in the Metric Namespace box, enter CloudTrailMetrics.

  8. In the Metric Name field, enter ConsoleSignInWithoutMfaCount.

  9. Choose Metric Value, and then type 1.

    Note

    If Metric Value does not appear, choose Show advanced metric settings first.

  10. When you are finished, choose Create Filter.

Example: Create an Alarm

These steps are a continuation of the previous steps for creating a metric filter.

  1. On the Filters for Log_Group_Name page, next to the filter name, choose Create Alarm.

  2. On the Create Alarm page, provide the following values.

    
					   			CloudWatch Logs Create Alarm Wizard

    Setting Value

    Console Sign In Without MFA

    1

    1

    5 Minutes

    Sum

    Near the Select a notification list box, choose New list, and then type a unique topic name for the list.

    Choose Email list, and then type the email address to which you want notifications sent. (You will receive an email at this address to confirm that you created this alarm.)

  3. When you are finished, choose Create Alarm.