Ensure a log metric filter and alarm exist for AWS Organizations changes

The steps to remediate this issue include setting up an Amazon SNS topic, a metric filter, and an alarm for the metric filter.

From Console

To create SNS topic

1. Open the Amazon SNS console at SNS.
2. Create an Amazon SNS topic that receives all CIS alarms. Create at least one subscriber to the topic. You can follow steps here
3. Set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in CIS 3.1 - Ensure CloudTrail is enabled in all Regions.
4. Make a note of the associated log group name.

To create a metric filter and alarm

1. Open the CloudWatch console at CloudWatch.
2. In the navigation pane, choose Log groups.
3. Select the check box for the log group that you made a note of in the previous step (4).
4. From Actions, choose Create Metric Filter.
5. Under Define pattern, do the following:
   • Copy the following pattern and then paste it into the Filter Pattern field.

     { ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") || ($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName = "InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }
     

   • Choose Next.
6. Under Assign metric, do the following:
   • In Filter name, enter a name for your metric filter.
   • For Metric namespace, enter CISBenchmark. You can use the same namespace for all of your CIS log metric filters.
   • For Metric name, enter a name for the metric.
   • The name of the metric is required to create the alarm.
   • For Metric value, enter 1.
   • Choose Next.
7. Under Review and create, review the details and choose Create metric filter.
8. Choose the Metric filters tab, select the metric filter that you just created.
9. To choose the metric filter, select the check box at the upper right.
10. Choose Create Alarm.
11. Follow the steps provided in Create an alarm
12. Under Configure actions, do the following:
    • Under Alarm state trigger, choose In alarm.
    • Under Select an SNS topic, choose Select an existing SNS topic.
    • For Send a notification to, enter the name of the SNS topic that you created in the previous procedure.
    • Choose Next.
13. Under Add name and description, enter a Name and Description for the alarm. For example, CIS4.15-[SmallDescription]. Then choose Next.
14. Under Preview and create, review the alarm configuration. Choose Create alarm.

From Command Line

Perform the following to setup the metric filter, alarm, SNS topic, and subscription

1. Create a metric filter based on filter pattern provided and CloudWatch log group.

aws logs put-metric-filter --log-group-name <cloudtrail_log_group_name> --filter-name `<organizations_changes>` --metric-transformations metricName=`<organizations_changes>` ,metricNamespace='CISBenchmark',metricValue=1 --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = "AcceptHandshake") || ($.eventName = "AttachPolicy") || ($.eventName = "CreateAccount") || ($.eventName = "CreateOrganizationalUnit") || ($.eventName = "CreatePolicy") || ($.eventName = "DeclineHandshake") || ($.eventName = "DeleteOrganization") || ($.eventName = "DeleteOrganizationalUnit") || ($.eventName = "DeletePolicy") || ($.eventName = "DetachPolicy") || ($.eventName = "DisablePolicyType") || ($.eventName = "EnablePolicyType") || ($.eventName ="InviteAccountToOrganization") || ($.eventName = "LeaveOrganization") || ($.eventName = "MoveAccount") || ($.eventName = "RemoveAccountFromOrganization") || ($.eventName = "UpdatePolicy") || ($.eventName = "UpdateOrganizationalUnit")) }'

Note: You can choose your own metricName and metricNamespace strings. Using the same metricNamespace for all Foundations Benchmark metrics will group them together.

1. Create an SNS topic that the alarm will notify.

aws sns create-topic --name <sns_topic_name>

Note: you can execute this command once and then re-use the same topic for all monitoring alarms.

1. Create an SNS subscription to the topic created in step 2.

aws sns subscribe --topic-arn <sns_topic_arn> --protocol <protocol_for_sns> --notification-endpoint <sns_subscription_endpoints>

Note: you can execute this command once and then re-use the SNS subscription for all.

1. Create an alarm that is associated with the CloudWatch Logs Metric Filter created in step 1 and an SNS topic created in step 2.

aws cloudwatch put-metric-alarm --alarm-name `<vpc_changes_alarm>` --metric-name `<organizations_changes>` --statistic Sum --period 300 --threshold 1 --comparison-operator GreaterThanOrEqualToThreshold --evaluation-periods 1 --namespace 'CISBenchmark' --alarm-actions <sns_topic_arn>

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

AWS

Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.