Control: 2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls

Description

Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to LogService and establishing corresponding query and alarms. It is recommended that a query and alarm be established for unauthorized API calls.

Remediation

Perform the following to ensure the log monitoring and alerts are set up for unauthorized API calls:

From Console

1. Logon to SLS Console.
2. Click Log Service Audit Service in the navigation pane.
3. Go to Access to Cloud Products > Global Configuration page.
   • Select a location of project for logs.
   • Check the Action Trail and configure a proper days.
   • Click Save to save the changes.
4. Go to Access to Cloud Products > Global Configurations click Central Project.
5. Select Log Management > Actiontrail Log.
6. In the search/analytics console, input below query

"event.eventType": ApiCall and ("event.errorCode": "NoPermission" or "event.errorCode": "NoPermission.*" or "event.errorCode": "Forbidden" or "event.errorCode": "Forbbiden" or "event.errorCode": "Forbidden.*" or "event.errorCode": "InvalidAccessKeyId" or "event.errorCode": "InvalidAccessKeyId.*" or "event.errorCode": "InvalidSecurityToken" or "event.errorCode": "InvalidSecurityToken.*" or "event.errorCode": "SignatureDoesNotMatch" or "event.errorCode": "InvalidAuthorization" or "event.errorCode": "AccessForbidden" or "event.errorCode": "NotAuthorized") | select count(1) as cnt

7. Create a dashboard and set alert for the query result