Control: 2.10 Ensure log monitoring and alerts are set up for RAM Role changes
Description
It is recommended that a query and alarm should be established for RAM Role creation, deletion and updating activities.
Remediation
Perform the following to ensure the log monitoring and alerts are set up for RAM Role Changes:
From Console
- Logon to SLS Console.
- Click
Log Service Audit Servicein the navigation pane. - Go to
Access to Cloud Products > Global Configurationpage.- Select a location of project for logs.
- Check the
Action Trailand configure a proper days. - Click
Saveto save the changes.
- Go to
Access to Cloud Products > Global ConfigurationsclickCentral Project. - Select
Log Management > Actiontrail Log. - In the search/analytics console, input below query
("event.serviceName": ResourceManager or "event.serviceName": Ram) and ("event.eventName": CreatePolicy or "event.eventName": DeletePolicy or "event.eventName": CreatePolicyVersion or "event.eventName": UpdatePolicyVersion or "event.eventName": SetDefaultPolicyVersion or "event.eventName": DeletePolicyVersion) | select count(1) as c
- Create a dashboard and set alert for the query result.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_2_10Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_2_10 --shareSQL
This control uses a named query:
select 'arn:acs:::' || account_id as resource, 'info' as status, 'Manual verification required.' as reason , account_id as account_idfrom alicloud_account;