Use AWS CloudWatch Contributor Insights to monitor CIS AWS Foundations Benchmark controls
Contributor Insights is a feature of AWS CloudWatch that can be used to analyze log data to create time series that displays contributor data. This will help you understand who or what is impacting your system and application performance by identifying top talkers, pinpointing outliers, finding the heaviest traffic patterns, and ranking the top system processes. Once set up, Contributor Insights runs continuously without needing your intervention. This helps developers and operators more quickly isolate, diagnose, and remediate issues during an operational event.
The Center for Internet Security (CIS) developed the CIS AWS Foundations Benchmark, a set of security configuration best practices for AWS. These industry-accepted best practices go beyond the high-level security guidance already available, providing AWS users with clear, step-by-step implementation and assessment procedures.
In this blog post, we’ll show you how you can use Contributor Insights to analyze log trail event data and create time series that displays the contributor data for the monitoring controls defined in CIS AWS Foundations Benchmark controls.
This blog post also demonstrates how to create custom rules to replicate all the monitoring controls defined in CIS AWS Foundations Benchmark controls. I will show you the process to add a Contributor Insights rule to the dashboard. I will graph the metrics generated by a Contributor Insights rule and create an alarm to trigger an alert when this metric exceeds a certain threshold. To promote rapid deployment and adoption of this solution, you’ll deploy a majority of the necessary components via AWS CloudFormation.
Figure 1 shows how CloudTrail logs sent to CloudWatch are analyzed by Contributor Insights rules whose report findings are displayed on a CloudWatch dashboard.
Supported monitoring controls
The following monitoring controls defined in the CIS AWS Foundation benchmark controls are supported in this blog post:
- 3.1 Monitoring for unauthorized API calls
- 3.2 Monitoring for AWS Management Console sign-in without MFA
- 3.3 Monitoring for usage of root account
- 3.5 Monitoring for CloudTrail configuration changes
- 3.6 Monitoring for AWS Management Console authentication failures
- 3.7 Monitoring for disabling or scheduled deletion of customer created CMKs
- 3.8 Monitoring for S3 bucket policy changes
- 3.9 Monitoring for AWS Config configuration changes
- 3.10 Monitoring for security group changes
- 3.11 Monitoring for changes to Network Access Control Lists (NACL)
- 3.12 Monitoring changes to network gateways
- 3.13 Monitoring for route table changes
- 3.14 Monitoring for VPC changes
Note: At the time of writing, the
Match operator with fields that follow an array of string values to check for is restricted by an array size of 10 string values. Due to this limitation the control 3.4 Monitoring for IAM policy changes cannot be expressed using Contributor Insights as it would need an array size of more than 10 strings. For more details, please review the Contributor Insights Rule Syntax.
Before we proceed to the next steps, you will have to enable CloudTrail logs and publish them to CloudWatch. If you haven’t already, follow the below steps to create a trail in your account.
Create a trail in the CloudTrail console
As a first step, create a trail by following the steps outlined below. For more detailed explanation, refer to the AWS Creating a trail documentation.
- Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail.
- Click on Trails from the left navigation pane.
- Click on Create trail to open Choose trail attributes (shown below).
- Enter a Trail name. (Example:
- Under Storage Location, for create a new S3 bucket enter a unique bucket name.
- Additional settings can be left to the default values.
- Under the CloudWatch Logs section, select Enabled.
- Select New for the Log group and provide a Log group name. (Example:
- For IAM Role, select New and provide a Role name. (Example:
- Select Next.
- Select Next on the Events page by keeping the defaults.
- On the Review and create page, review your configuration and select Create Trail.
Configure Contributor Insights
Open your browser and navigate to CloudWatch Contributor Insights. On the Contributor Insights home page, click
Create Rule. You will see a screen like the one below.
For quick reference, you can view all the configurable parameters in the Wizard tab.
Deploy the Contributor Insights Rules via CloudFormation
Download the CloudFormation template from GitHub and create a CloudFormation stack. For more information about how to create a CloudFormation stack, see Getting Started with AWS CloudFormation in the AWS CloudFormation User Guide.
The template will also create a CloudWatch dashboard which includes the Contributor Insights rule reports.
The CloudFormation template takes the following parameters:
- Contributor Insights rule state
This parameter is configured to enable or disable Contributor Insights on creation.
- CloudWatch Log Group
This is the Log group where CloudTrail logs are being written into.
To create the CloudFormation stack
- Navigate to the CloudFormation console.
- In the navigation pane, choose Stacks.
- Under Create Stack, choose with new resources (standard).
- For Specify template, choose the template downloaded from the GitHub repo.
- Review the parameters and change the default values if needed and then choose Next.
- Leave all other fields at their defaults, and then choose Create Stack.
Navigate to CloudWatch Contributor Insights, and you will see the rules that got created from the CloudFormation stack.
Display Contributor Insights Report Data on CloudWatch Dashboard
You can create an operational dashboard to display the report data from Contributor Insights rules. Below is an image of the dashboard that was created by deploying the CloudFormation template in the previous step.
Setting an Alarm on Contributor Insights Metric Data
Contributor Insights provides a metric math function,
INSIGHT_RULE_METRIC. You can use this function to add data from a Contributor Insights report to a graph in the Metrics tab of the CloudWatch console. You can also set alarms on metrics generated by this math function. For more details, see the Graphing Metrics Generated by Rules page.
When you create a rule, you are charged per-rule per-month, and for every million log events that match your rule. Disabling a rule will prevent service charges due to matched events, while deleting a rule will prevent both service charges from matched events, and for the existence of a rule. For more details, see the CloudWatch pricing page.
To avoid ongoing charges, delete the resources you created. Go to the AWS Management Console, identify the resources you created (Trail in AWS CloudTrail, CloudFormation template used to deploy Contributor Insight rules, CloudWatch Alarms, CloudWatch Log group, and dashboard)
In this post, we demonstrated how you can use Contributor Insights to create custom rules for monitoring controls defined in CIS AWS Foundation Controls with an AWS CloudFormation template. The deployed template also helped you create an operational dashboard to display the Contributor Insights report data. For more information, see Using Contributor Insights and AWS CIS Foundation Benchmark Controls.