Query: Ensure a log metric filter and alarm exist for S3 bucket policy changes

Description

You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets.

Query

Tables used in this query:

• aws_account
• aws_cloudtrail_trail
• aws_cloudwatch_alarm
• aws_cloudwatch_log_metric_filter
• aws_sns_topic_subscription

Controls using this query:

• 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
• 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
• 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
• 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes
• 4.8 Ensure S3 bucket policy changes are monitored
• 4.8 Ensure S3 bucket policy changes are monitored
• 4.8 Ensure S3 bucket policy changes are monitored
• 4.8 Ensure S3 bucket policy changes are monitored
• 5.8 Ensure S3 bucket policy changes are monitored
• Ensure a log metric filter and alarm exist for S3 bucket policy changes

SQL