turbot/alicloud_compliance

Control: 2.16 Ensure a log monitoring and alerts are set up for unauthorized API calls

Description

Real-time monitoring of API calls can be achieved by directing ActionTrail Logs to LogService and establishing corresponding query and alarms. It is recommended that a query and alarm be established for unauthorized API calls.

Remediation

Perform the following to ensure the log monitoring and alerts are set up for unauthorized API calls:

From Console

  1. Logon to SLS Console.
  2. Click Log Service Audit Service in the navigation pane.
  3. Go to Access to Cloud Products > Global Configuration page.
    • Select a location of project for logs.
    • Check the Action Trail and configure a proper days.
    • Click Save to save the changes.
  4. Go to Access to Cloud Products > Global Configurations click Central Project.
  5. Select Log Management > Actiontrail Log.
  6. In the search/analytics console, input below query
"event.eventType": ApiCall and ("event.errorCode": "NoPermission" or "event.errorCode": "NoPermission.*" or "event.errorCode": "Forbidden" or "event.errorCode": "Forbbiden" or "event.errorCode": "Forbidden.*" or "event.errorCode": "InvalidAccessKeyId" or "event.errorCode": "InvalidAccessKeyId.*" or "event.errorCode": "InvalidSecurityToken" or "event.errorCode": "InvalidSecurityToken.*" or "event.errorCode": "SignatureDoesNotMatch" or "event.errorCode": "InvalidAuthorization" or "event.errorCode": "AccessForbidden" or "event.errorCode": "NotAuthorized") | select count(1) as cnt
  1. Create a dashboard and set alert for the query result

Usage

steampipe check alicloud_compliance.control.cis_v100_2_16

SQL

This control uses a named query:

manual_control

Tags