AWS Cloud Operations Blog

Use AWS CloudWatch Contributor Insights to monitor CIS AWS Foundations Benchmark controls

Contributor Insights is a feature of AWS CloudWatch that can be used to analyze log data to create time series that displays contributor data. This will help you understand who or what is impacting your system and application performance by identifying top talkers, pinpointing outliers, finding the heaviest traffic patterns, and ranking the top system processes. Once set up, Contributor Insights runs continuously without needing your intervention. This helps developers and operators more quickly isolate, diagnose, and remediate issues during an operational event.

The Center for Internet Security (CIS) developed the CIS AWS Foundations Benchmark, a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures.

In this blog post, we’ll show you how you can use Contributor Insights to analyze log trail event data and create time series that displays the contributor data for the monitoring controls defined in CIS AWS Foundations Benchmark controls.

This blog post also demonstrates how to create custom rules to replicate all the monitoring controls defined in CIS AWS Foundations Benchmark controls. I will show you the process to add a Contributor Insights rule to the dashboard. I will graph the metrics generated by a Contributor Insights rule and create an alarm to trigger an alert when this metric exceeds a certain threshold. To promote rapid deployment and adoption of this solution, you’ll deploy a majority of the necessary components via AWS CloudFormation.

Solution Architecture

CloudTrail delivers logs to a CloudWatch Log group. Contributor Insights rules are created for this log group and the findings are displayed on a CloudWatch dashboard.

Figure 1: Solution Architecture Overview

Figure 1 shows how CloudTrail logs sent to CloudWatch are analyzed by Contributor Insights rules whose report findings are displayed on a CloudWatch dashboard.

Supported monitoring controls

The following monitoring controls defined in the CIS AWS Foundation benchmark controls are supported in this blog post:

Note: At the time of writing, the Match operator with fields that follow an array of string values to check for is restricted by an array size of 10 string values. Due to this limitation the control 3.4 Monitoring for IAM policy changes cannot be expressed using Contributor Insights as it would need an array size of more than 10 strings. For more details, please review the Contributor Insights Rule Syntax.

Before we proceed to the next steps, you will have to enable CloudTrail logs and publish them to CloudWatch. If you haven’t already, follow the below steps to create a trail in your account.

Create a trail in the CloudTrail console

As a first step, create a trail by following the steps outlined below. For more detailed explanation, refer to the AWS Creating a trail documentation.

  1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
  2. Click on Trails from the left navigation pane.
  3. Click on Create trail to open Choose trail attributes (shown below).
  4. Enter a Trail name. (Example: MyDemoTrail)
  5. Under Storage Location, for create a new S3 bucket enter a unique bucket name.

    Choose trail attributes displays a field or trail name and a storage location section with fields for S3 bucket options, logging location, and log file encryption.

    Figure 2: CloudTrail storage location details

  6. Additional settings can be left to the default values.
  7. Under the CloudWatch Logs section, select Enabled.
  8. Select New for the Log group and provide a Log group name. (Example:CloudTrail/DefaultLogGroup)
  9. For IAM Role, select New and provide a Role name. (Example:CloudTrailRole_MyDemoTrail)
  10. Select Next.

    CloudWatch Logs section displays option to enable CloudWatch logging and select a log group destination along with the IAM role that is to be assumed to send CloudTrail events to the log group.

    Figure 3: Configure CloudWatch Logs to monitor your trail

  11. Select Next on the Events page by keeping the defaults.
  12. On the Review and create page, review your configuration and select Create Trail.

Configure Contributor Insights

Open your browser and navigate to CloudWatch Contributor Insights. On the Contributor Insights home page, click Create Rule. You will see a screen like the one below.

Create rule displays the option to create a rule using the Wizard or Syntax for a custom or Sample rule type.

Figure 4: Create Contributor Insights rule

For quick reference, you can view all the configurable parameters in the Wizard tab.

Deploy the Contributor Insights Rules via CloudFormation

Download the CloudFormation template from GitHub and create a CloudFormation stack. For more information about how to create a CloudFormation stack, see Getting Started with AWS CloudFormation in the AWS CloudFormation User Guide.

The template will also create a CloudWatch dashboard which includes the Contributor Insights rule reports.

The CloudFormation template takes the following parameters:

  • Contributor Insights rule state

This parameter is configured to enable or disable Contributor Insights on creation.

  • CloudWatch Log Group

This is the Log group where CloudTrail logs are being written into.

Specify stack details displays a field or the stack name and a Parameters section on with the fields for rule configuration.

Figure 5: Configured CloudFormation stack parameters

To create the CloudFormation stack

  1. Navigate to the  CloudFormation console.
  2. In the navigation pane, choose Stacks.
  3. Under Create Stack, choose with new resources (standard).
  4. For Specify template, choose the template downloaded from the GitHub repo.
  5. Review the parameters and change the default values if needed and then choose Next.
  6. Leave all other fields at their defaults, and then choose Create Stack.

Navigate to CloudWatch Contributor Insights, and you will see the rules that got created from the CloudFormation stack.

Rules displays the Contributor Insights rules created for AWS CIS Foundations Monitoring Controls using the CloudFormation template.

Figure 6: Contributor Insights Rules

Display Contributor Insights Report Data on CloudWatch Dashboard

You can create an operational dashboard to display the report data from Contributor Insights rules. Below is an image of the dashboard that was created by deploying the CloudFormation template in the previous step.

The dashboard displays graphs for the Contributor Insights rules created for AWS CIS Foundations Monitoring controls.

Figure 7: AWS CIS Foundations Monitoring Controls Dashboard

Setting an Alarm on Contributor Insights Metric Data

Contributor Insights provides a metric math function, INSIGHT_RULE_METRIC. You can use this function to add data from a Contributor Insights report to a graph in the Metrics tab of the CloudWatch console. You can also set alarms on metrics generated by this math function. For more details, see the Graphing Metrics Generated by Rules page.

Cost considerations

When you create a rule, you are charged per-rule per-month, and for every million log events that match your rule. Disabling a rule will prevent service charges due to matched events, while deleting a rule will prevent both service charges from matched events, and for the existence of a rule. For more details, see the CloudWatch pricing page.

Cleanup

To avoid ongoing charges, delete the resources you created. Go to the AWS Management Console, identify the resources you created (Trail in AWS CloudTrail, CloudFormation template used to deploy Contributor Insight rules, CloudWatch Alarms, CloudWatch Log group, and dashboard)

Conclusion

In this post, we demonstrated how you can use Contributor Insights to create custom rules for monitoring controls defined in CIS AWS Foundation Controls with an AWS CloudFormation template. The deployed template also helped you create an operational dashboard to display the Contributor Insights report data. For more information, see Using Contributor Insights and AWS CIS Foundation Benchmark Controls.

About the authors

Sandeep Batchu

Sandeep Batchu

Sandeep Batchu is a Senior Security Consultant with Amazon Web Services. His background includes software engineering, solutions architecture, and security. Sandeep has a passion for helping customers connect business outcomes with technology and assisting customers throughout their cloud journey, helping them design secure, scalable, flexible, and resilient architectures

Sukhchander Khanna

Sukhchander Khanna

Sukhchander Khanna is a Solutions Architect at Amazon Web Services. He is passionate about helping startups and enterprises adopt the cloud in the most scalable, secure, and cost-effective way by providing technical guidance, best practices, and well architected solutions.