Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon CloudWatch

Amazon CloudWatch
Amazon CloudWatch icon

Out-of-the-Box Security For Amazon CloudWatch Includes:

Alerts - 7

Stay on top of Amazon CloudWatch key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A Log Stream has been deleted

A log stream is a sequence of log events that share the same source. A deletion of a log stream should be validated. Impact A deletion of a log stream can be an attacker evasion technique to hide malicious actions he has committed. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple log streams. MITRE Tactic: TA0005 MITRE Technique: T1562

An alarm has been disabled

Cloudwatch alarms are designed to inform the user of any anomalous activity as defined by the user. It could encompass different AWS services and alert on any measurable metric offered by CloudWatch. Impact Disabling of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the user from receiving alerts. Mitigation Verify that disabling the alert was intentional and authorized and investigate further if not. Take note of the disabling of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562

An alarm has been deleted

Cloudwatch alarms are designed to inform the user of any anomalous activity as defined by the user. It could encompass different AWS services and alert on any measurable metric offered by CloudWatch. Impact Unauthorized deletion of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the user from receiving alerts. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562

A log group has been deleted

A log group is a group of log streams that share the same retention, monitoring, and access control settings. A deletion of a log group should be validated. Impact A deletion of a log group can be an attacker evasion technique to hide malicious actions he has committed. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple log groups. MITRE Tactic: TA0005 MITRE Technique: T1562

A rule has been deleted

Cloudwatch events / EventsBridges rules are designed to match incoming Cloudwatch events and Route them to specific AWS resources for processing. Events can trigger actions on multiple other AWS services (as Lambda, EC2, Batch jobs etc.). Impact Unauthorized deletion of a rule can be an attacker evasion technique to hide his malicious activities by preventing the system from triggering required actions on different services. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562

A rule has been disabled

Cloudwatch events / EventsBridges rules are designed to match incoming Cloudwatch events and Route them to specific AWS resources for processing. Events can trigger actions on multiple other AWS services (as Lambda, EC2, Batch jobs etc.). Impact Disabling of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the system from triggering required actions on different services. Mitigation Verify that disabling the alert was intentional and authorized and investigate further if not. Take note of the disabling of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562

No logs from Amazon CloudWatch

This rule detects if there are no logs in the last 12 hours for Amazon CloudWatch in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Documentation

Learn more about Coralogix's out-of-the-box integration with Amazon CloudWatch in our documentation.

Read More
Schedule Demo