Control: 2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls
Description
Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to LogService and establishing corresponding query and alarms. It is recommended that a query and alarm be established for unauthorized API calls.
Remediation
Perform the following to ensure the log monitoring and alerts are set up for unauthorized API calls:
From Console
- Logon to SLS Console.
- Click
Log Service Audit Servicein the navigation pane. - Go to
Access to Cloud Products > Global Configurationpage.- Select a location of project for logs.
- Check the
Action Trailand configure a proper days. - Click
Saveto save the changes.
- Go to
Access to Cloud Products > Global ConfigurationsclickCentral Project. - Select
Log Management > Actiontrail Log. - In the search/analytics console, input below query
"event.eventType": ApiCall and ("event.errorCode": "NoPermission" or "event.errorCode": "NoPermission.*" or "event.errorCode": "Forbidden" or "event.errorCode": "Forbbiden" or "event.errorCode": "Forbidden.*" or "event.errorCode": "InvalidAccessKeyId" or "event.errorCode": "InvalidAccessKeyId.*" or "event.errorCode": "InvalidSecurityToken" or "event.errorCode": "InvalidSecurityToken.*" or "event.errorCode": "SignatureDoesNotMatch" or "event.errorCode": "InvalidAuthorization" or "event.errorCode": "AccessForbidden" or "event.errorCode": "NotAuthorized") | select count(1) as cnt
- Create a dashboard and set alert for the query result
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_2_16Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_2_16 --shareSQL
This control uses a named query:
select 'arn:acs:::' || account_id as resource, 'info' as status, 'Manual verification required.' as reason , account_id as account_idfrom alicloud_account;