How do I use CloudWatch alarms to monitor CloudTrail events?

5 minute read

I want to use Amazon CloudWatch alarms to monitor AWS CloudTrail events.

Short description

A CloudWatch alarm monitors a single CloudWatch metric or the result of a math expression based on the CloudWatch metrics. To create alarms to monitor CloudTrail events, turn on CloudWatch logging for your trail and create metric filters on the CloudTrail log group.

Note: Metric filters define the terms and patterns to look for in log data as it's sent to CloudWatch Logs. CloudWatch Logs uses metric filters to convert log data into numerical metrics that you can graph and set an alarm to.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Before you begin, complete the following steps:

Create a trail in the CloudTrail console or use the AWS CLI to create a trail.
Create a log group. This can be completed when you create a trail.
Use the AWS Management Console or AWS CLI to configure your trail to send events to CloudWatch Logs for monitoring.
Create or specify an AWS Identity and Access Management (IAM) role that grants CloudTrail the permissions to create a CloudWatch Logs log stream. The log stream must be created in the log group that you specify to deliver CloudTrail events to. CloudTrail_CloudWatchLogs_Role is the default role.

Note: The following steps for Create a metric filter and Create an alarm provide an example of how to monitor ConsoleLogin events without MFA enabled CloudTrail events.

Create a metric filter

To create a metric filter for ConsoleLogin events without MFA enabled CloudTrail events, complete the following steps:

Open the CloudWatch console.
In the navigation pane, under Logs, choose Log groups.
In the list of log groups, choose the log group that you created for your trail.
From the Metric filters or Actions menu, choose Create metric filter.

On the Define pattern page, in Create filter pattern, enter the following for the Filter pattern:

{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }

In Test pattern, don't update the default values. Choose Next.
On the Assign metric page, for Filter name, enter ConsoleSignInWithoutMFA.
In Metric details, turn on Create new and complete the following:
For Metric namespace, enter CloudTrailMetrics.
For Metric name, type ConsoleSignInWithoutMFA.
For Metric value, type 1.
For Default value, leave empty.
Choose Next.
On the Review and create page, review your choices. Choose Create metric filter to create the filter or choose Edit to change the values.

Note: After you create the metric filter, the CloudWatch Logs log group details page for your CloudTrail trail log group opens.

Create an alarm

To create an alarm to monitor ConsoleLogin events without MFA enabled CloudTrail events, complete the following steps:

On the Metric filters tab, identify the metric filter that you created and select the check box for the metric filter.
In the Metric filters bar, choose Create alarm. In Specify metric and conditions, enter the following:
For Metric name, keep the current metric name ConsoleSignInWithoutMFA.
For Statistic, keep the default, Sum.
For Period, keep the default, 5 minutes.
In Conditions, for Threshold type, choose Static.
For Whenever metric_name is, choose Greater/Equal.
For the threshold value, enter your required value. For this example, 3 is the threshold value.
In Additional configuration, don't update the default values.
Choose Next.
On the Configure actions page, for Notification, choose Create new topic or select an existing Amazon Simple Notification Service (Amazon SNS) topic.
For Create a new topic, enter ConsoleSignInWithoutMFA_CloudWatch_Alarms_Topic as the Amazon SNS topic name.
In Email endpoints, enter the email addresses of the users that you want to receive alarm notifications. Make sure that you use commas to separate email addresses.
Note: Each email address is required to reply to the confirmation email to confirm their subscription to the Amazon SNS topic. The alarm's Actions column indicates Pending confirmation until all email recipients are confirmed.
Choose Create topic.
For this example, skip the other action types. Choose Next.
On the Add name and description page, enter a name for the alarm and a description. For this example, enter the name Console sign-in-without-MFA and the description Raises alarms if more than 3 console sign-in without MFA occur in 5 minutes.
Choose Next.
On the Preview and create page, review your choices. Choose Create alarm to create the alarm or Edit to change the values.

Note: The preceding steps create a CloudWatch alarm that invokes when an AWS Management Console sign in fails in the specified five minute window.

Topics

Management & Governance

Relevant content

Cloudformation definition for "Cloudwatch Alarm" based on "Metrics Insights query"
heno7
asked 6 months ago
RDS Events versus CloudWatch Alarms
Accepted Answer
sam15
asked 6 months ago
Monitoring CPU Utilization of Multiple Instances with a Single Alarm
rePost-User-2738569
asked 10 months ago
[CloudWatch] when an alarm fires based on a metric, how to quickly get the corresponding raw logs ?
AWS-User-9743618
asked a month ago
Routing based on Cloudwatch metrics/alarms
rePost-User-9334055
asked 2 years ago
How do I troubleshoot a CloudWatch alarm that monitors CloudWatch agent metrics and is in the INSUFFICIENT_DATA state?
AWS OFFICIALUpdated 16 days ago
How do I monitor my Amazon OpenSearch Service cluster using CloudWatch alarms?
AWS OFFICIALUpdated 3 years ago
How can I monitor daily EstimatedCharges and trigger a CloudWatch alarm based on my usage threshold?
AWS OFFICIALUpdated 2 years ago
How do I monitor AWS VPN tunnels using Amazon CloudWatch alarms?
AWS OFFICIALUpdated a year ago
Monitor the state of BGP peering sessions in a Transit Gateway Connect peer using CloudWatch
EXPERT
George Murimi
published 3 months ago