CloudWatch Metric Filters for AWS Security Monitoring

#aws #security #cloudwatch #devops

Day 9: CloudWatch Security Filters

CloudTrail records API calls. CloudWatch makes them actionable. Here's a quick setup for the most critical security detection -- catching someone disabling your security controls:

resource "aws_cloudwatch_log_metric_filter" "config_tampering" {
  name           = "aws-config-changes"
  log_group_name = "/aws/cloudtrail/security"
  pattern        = <<PATTERN
{ ($.eventSource = config.amazonaws.com) &&
  (($.eventName = StopConfigurationRecorder) ||
   ($.eventName = DeleteDeliveryChannel)) }
PATTERN

  metric_transformation {
    name      = "ConfigTamperingCount"
    namespace = "Security/CIS"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "config_tampering" {
  alarm_name          = "CRITICAL-ConfigTampering"
  namespace           = "Security/CIS"
  metric_name         = "ConfigTamperingCount"
  statistic           = "Sum"
  period              = 60
  evaluation_periods  = 1
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  treat_missing_data  = "notBreaching"
  alarm_actions       = [aws_sns_topic.security.arn]
}

Why this matters: an attacker with admin access often disables Config to stop recording evidence. A 60-second alarm period means you know within a minute.

Key tip: always set treat_missing_data = "notBreaching". The default causes false alarms during quiet periods.