Use AWS CloudWatch Contributor Insights to monitor CIS AWS Foundations Benchmark controls

Contributor Insights is a feature of AWS CloudWatch that can be used to analyze log data to create time series that displays contributor data. This will help you understand who or what is impacting your system and application performance by identifying top talkers, pinpointing outliers, finding the heaviest traffic patterns, and ranking the top system processes. Once set up, Contributor Insights runs continuously without needing your intervention. This helps developers and operators more quickly isolate, diagnose, and remediate issues during an operational event.

The Center for Internet Security (CIS) developed the CIS AWS Foundations Benchmark, a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures.

In this blog post, we’ll show you how you can use Contributor Insights to analyze log trail event data and create time series that displays the contributor data for the monitoring controls defined in CIS AWS Foundations Benchmark controls.

This blog post also demonstrates how to create custom rules to replicate all the monitoring controls defined in CIS AWS Foundations Benchmark controls. I will show you the process to add a Contributor Insights rule to the dashboard. I will graph the metrics generated by a Contributor Insights rule and create an alarm to trigger an alert when this metric exceeds a certain threshold. To promote rapid deployment and adoption of this solution, you’ll deploy a majority of the necessary components via AWS CloudFormation.

Solution Architecture

Figure 1: Solution Architecture Overview

Figure 1 shows how CloudTrail logs sent to CloudWatch are analyzed by Contributor Insights rules whose report findings are displayed on a CloudWatch dashboard.

Supported monitoring controls

The following monitoring controls defined in the CIS AWS Foundation benchmark controls are supported in this blog post:

• 3.1 Monitoring for unauthorized API calls
• 3.2 Monitoring for AWS Management Console sign-in without MFA
• 3.3 Monitoring for usage of root account
• 3.5 Monitoring for CloudTrail configuration changes
• 3.6 Monitoring for AWS Management Console authentication failures
• 3.7 Monitoring for disabling or scheduled deletion of customer created CMKs
• 3.8 Monitoring for S3 bucket policy changes
• 3.9 Monitoring for AWS Config configuration changes
• 3.10 Monitoring for security group changes
• 3.11 Monitoring for changes to Network Access Control Lists (NACL)
• 3.12 Monitoring changes to network gateways
• 3.13 Monitoring for route table changes
• 3.14 Monitoring for VPC changes

Note: At the time of writing, the Match operator with fields that follow an array of string values to check for is restricted by an array size of 10 string values. Due to this limitation the control 3.4 Monitoring for IAM policy changes cannot be expressed using Contributor Insights as it would need an array size of more than 10 strings. For more details, please review the Contributor Insights Rule Syntax.

Before we proceed to the next steps, you will have to enable CloudTrail logs and publish them to CloudWatch. If you haven’t already, follow the below steps to create a trail in your account.

Create a trail in the CloudTrail console

As a first step, create a trail by following the steps outlined below. For more detailed explanation, refer to the AWS Creating a trail documentation.

1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
2. Click on Trails from the left navigation pane.
3. Click on Create trail to open Choose trail attributes (shown below).
4. Enter a Trail name. (Example: MyDemoTrail)
5. Under Storage Location, for create a new S3 bucket enter a unique bucket name.
   

   Figure 2: CloudTrail storage location details

6. Additional settings can be left to the default values.
7. Under the CloudWatch Logs section, select Enabled.
8. Select New for the Log group and provide a Log group name. (Example:CloudTrail/DefaultLogGroup)
9. For IAM Role, select New and provide a Role name. (Example:CloudTrailRole_MyDemoTrail)
10. Select Next.
    

    Figure 3: Configure CloudWatch Logs to monitor your trail

11. Select Next on the Events page by keeping the defaults.
12. On the Review and create page, review your configuration and select Create Trail.

Configure Contributor Insights

Open your browser and navigate to CloudWatch Contributor Insights. On the Contributor Insights home page, click Create Rule. You will see a screen like the one below.

Figure 4: Create Contributor Insights rule

For quick reference, you can view all the configurable parameters in the Wizard tab.

Deploy the Contributor Insights Rules via CloudFormation

Download the CloudFormation template from GitHub and create a CloudFormation stack. For more information about how to create a CloudFormation stack, see Getting Started with AWS CloudFormation in the AWS CloudFormation User Guide.

The template will also create a CloudWatch dashboard which includes the Contributor Insights rule reports.

The CloudFormation template takes the following parameters:

• Contributor Insights rule state

This parameter is configured to enable or disable Contributor Insights on creation.

• CloudWatch Log Group

This is the Log group where CloudTrail logs are being written into.

Figure 5: Configured CloudFormation stack parameters

To create the CloudFormation stack

1. Navigate to the  CloudFormation console.
2. In the navigation pane, choose Stacks.
3. Under Create Stack, choose with new resources (standard).
4. For Specify template, choose the template downloaded from the GitHub repo.
5. Review the parameters and change the default values if needed and then choose Next.
6. Leave all other fields at their defaults, and then choose Create Stack.

Navigate to CloudWatch Contributor Insights, and you will see the rules that got created from the CloudFormation stack.

Figure 6: Contributor Insights Rules

Display Contributor Insights Report Data on CloudWatch Dashboard

You can create an operational dashboard to display the report data from Contributor Insights rules. Below is an image of the dashboard that was created by deploying the CloudFormation template in the previous step.

Figure 7: AWS CIS Foundations Monitoring Controls Dashboard

Setting an Alarm on Contributor Insights Metric Data

Contributor Insights provides a metric math function, INSIGHT_RULE_METRIC. You can use this function to add data from a Contributor Insights report to a graph in the Metrics tab of the CloudWatch console. You can also set alarms on metrics generated by this math function. For more details, see the Graphing Metrics Generated by Rules page.

Cost considerations

When you create a rule, you are charged per-rule per-month, and for every million log events that match your rule. Disabling a rule will prevent service charges due to matched events, while deleting a rule will prevent both service charges from matched events, and for the existence of a rule. For more details, see the CloudWatch pricing page.

Cleanup

To avoid ongoing charges, delete the resources you created. Go to the AWS Management Console, identify the resources you created (Trail in AWS CloudTrail, CloudFormation template used to deploy Contributor Insight rules, CloudWatch Alarms, CloudWatch Log group, and dashboard)

Conclusion

In this post, we demonstrated how you can use Contributor Insights to create custom rules for monitoring controls defined in CIS AWS Foundation Controls with an AWS CloudFormation template. The deployed template also helped you create an operational dashboard to display the Contributor Insights report data. For more information, see Using Contributor Insights and AWS CIS Foundation Benchmark Controls.

About the authors