Best practice rules for Amazon CloudWatch Logs
Cloudwatch Logs allows you to monitor and troubleshoot your systems and applications using your existing custom log files. Your existing log files can be sent to Cloudwatch Logs and monitored in near real-time. Cloudwatch Logs can be used to monitor and alert you on specific phrases, values or patterns that occur in your AWS account. For example, an alert could be set to notify you when the number of errors encountered in your account reaches 10.
Trend Micro Cloud One™ – Conformity monitors Amazon CloudWatch Logs with the following rules:
- AWS Config Changes Alarm
Ensure AWS Config configuration changes are being monitored using CloudWatch alarms.
- AWS Console Sign In Without MFA
Monitor for AWS Console Sign-In Requests Without MFA
- AWS Organizations Changes Alarm
Ensure Amazon Organizations changes are being monitored using AWS CloudWatch alarms.
- Authorization Failures Alarm
Ensure a log metric filter and alarm exist for unauthorized API calls.
- CMK Disabled or Scheduled for Deletion Alarm
Ensure AWS CMK configuration changes are being monitored using CloudWatch alarms.
- CloudTrail Changes Alarm
Ensure all AWS CloudTrail configuration changes are being monitored using CloudWatch alarms.
- Console Sign-in Failures Alarm
Ensure your AWS Console authentication process is being monitored using CloudWatch alarms.
- Create CloudWatch Alarm for VPC Flow Logs Metric Filter
Ensure that a CloudWatch alarm is created for the VPC Flow Logs metric filter and an alarm action is configured.
- EC2 Instance Changes Alarm
Ensure AWS EC2 instance changes are being monitored using CloudWatch alarms.
- EC2 Large Instance Changes Alarm
Ensure AWS EC2 large instance changes are being monitored using CloudWatch alarms.
- IAM Policy Changes Alarm
Ensure AWS IAM policy configuration changes are being monitored using CloudWatch alarms.
- Internet Gateway Changes Alarm
Ensure AWS VPC Customer/Internet Gateway configuration changes are being monitored using CloudWatch alarms.
- Metric Filter for VPC Flow Logs CloudWatch Log Group
Ensure that a log metric filter for the CloudWatch group assigned to the VPC Flow Logs is created.
- Network ACL Changes Alarm
Ensure AWS Network ACLs configuration changes are being monitored using CloudWatch alarms.
- Root Account Usage Alarm
Ensure Root Account Usage is being monitored using CloudWatch alarms.
- Route Table Changes Alarm
Ensure AWS Route Tables configuration changes are being monitored using CloudWatch alarms.
- S3 Bucket Changes Alarm
Ensure AWS S3 Buckets configuration changes are being monitored using CloudWatch alarms.
- Security Group Changes Alarm
Ensure AWS security groups configuration changes are being monitored using CloudWatch alarms.
- VPC Changes Alarm
Ensure AWS VPCs configuration changes are being monitored using CloudWatch alarms.