Which approach will generate automated security alerts should too many unauthorized AWS API requests be identified?
A.
Create an Amazon CloudWatch metric filter that looks for API call error codes and then implement an alarm based on that metric's rate.
B.
Configure AWS CloudTrail to stream event data to Amazon Kinesis. Configure an AWS Lambda function on the stream to alarm when the threshold has been exceeded.
C.
Run an Amazon Athena SQL query against CloudTrail log files. Use Amazon QuickSight to create an operational dashboard.
D.
Use the Amazon Personal Health Dashboard to monitor the account's use of AWS services, and raise an alert if service error rates increase.
A is correct answer.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
In the navigation pane, choose Logs.
In the list of log groups, select the check box next to the log group that you created for CloudTrail log events.
Choose Create Metric Filter.
On the Define Logs Metric Filter screen, choose Filter Pattern and then type the following:
{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }
Choose Assign Metric.
For Filter Name, type AuthorizationFailures.
For Metric Namespace, type CloudTrailMetrics.
For Metric Name, type AuthorizationFailureCount.
For this question, and answer without mentioning CloudTrail does not sound right.
A. could've been the best answer had it mentioned CloudTrail. I know it is enabled by default, but needs a trail toward CloudWatch to be created.
https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html
Related requirements: CIS AWS Foundations Benchmark v1.2.0/3.1
Resource type: AWS::Logs::MetricFilter, AWS::CloudWatch::Alarm, AWS::CloudTrail::Trail, AWS::SNS::Topic
You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.
The check results in FAILED findings in the following cases:
No trail is configured.
B. Has anyone seen an integration between CloudTrail and KDS? I haven't. My thinking, it would still need a trail toward S3 bucket, then a Lambda function to ingest data.
C. Actually this is a very good answer. CoudTrail >> Athena (through S3) >> Quicksight dashboard where you can create threshold alerts. Still, it only mentioned creating dashboard, without alerts.
D. Forget it.
I'd say, this is a question made up by someone lacking enough information.
Couldn't find anything to suggest CloudTrail can go directly to Kinesis, has to go via S3 first.
Multiple articles state that this can be done via CloudWatch, although my instinct would be CloudTrail for API requests.
I'd go A
https://aws.amazon.com/blogs/security/using-cloudtrail-to-identify-unexpected-behaviors-in-individual-workloads/
Activities within your AWS account can be recorded with CloudTrail, which makes it the ideal service not only for deeper investigations into past cloud activities but also to detect unwanted behaviors in near real time. CloudTrail sends logs to an S3 bucket and can forward events to CloudWatch. Using CloudWatch, you can perform searches across all CloudTrail events and define CloudWatch alarms for automatic notifications.
You can create alerts for individual CloudTrail events that you consider an anomaly by creating CloudWatch filters and alarms. A filter defines the events that you want to monitor and an alarm defines the threshold when you want to be notified.
Anomaly detection in the cloud monitors cloud service activities on the control plane and checks to see if the behavior is expected in the context of each workload
Answer is B.
Option A creates an Amazon CloudWatch metric filter that looks for API call error codes and then implements an alarm based on that metric's rate. While this approach can detect when there are too many error codes, it does not take into account unauthorized requests. It only detect errors made by authorized request. It does not provide visibility into the security events that have occurred like unauthorized requests, which is the focus of the question.
Recommended and out of the box solution is option A
B while possible you need to write LAMBDA code and it requires more effort to build customer solution , so its not preferred for this use case.
Simply voting B to add thinking effort:
A: Simplest and not real-time
B: Complex and real-time
Both are possible, and since the question didn't state the requirement, we should choose the most straightforward way out.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
cloudguy365
Highly Voted 3 years, 7 months agocross
3 years, 6 months agoSickcnt
1 year, 9 months agoUjwalAbhonkar
1 year, 7 months agoRajAWSDevOps007
4 months agoAdamSmith
3 years, 6 months agoJPThree
3 years, 4 months agohozefa
Highly Voted 3 years, 6 months agoRajAWSDevOps007
Most Recent 4 months agoRaphaello
1 year, 2 months agoRaphaello
1 year, 2 months agoGreen53
1 year, 10 months agoRobert0
1 year, 10 months agomatrpro
1 year, 12 months agoawsexamer2023
2 years, 1 month agosandeepsingh85
2 years, 2 months agoSuhasj02
2 years, 3 months agoarpgaur
2 years, 3 months agoMamas
2 years, 3 months agoGaniGaniGani
2 years, 4 months agoboooliyooo
2 years, 5 months agobobsmith2000
2 years, 8 months agoremyy
2 years, 11 months agolotfi50
3 years ago