CloudWatch log metric filter and alarm for AWS Organizations changes are not set for the master account Affecting CloudWatch service in AWS
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00103
- credit Snyk Research Team
Description
Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.
How to fix?
Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.
Use the following pattern attribute set:
$.eventSource=organizations.amazonaws.com
$.eventName=AcceptHandshake
$.eventName=AttachPolicy
$.eventName=CreateAccount
$.eventName=CreateOrganizationalUnit
$.eventName=CreatePolicy
$.eventName=DeclineHandshake
$.eventName=DeleteOrganization
$.eventName=DeleteOrganizationalUnit
$.eventName=DeletePolicy
$.eventName=DetachPolicy
$.eventName=DisablePolicyType
$.eventName=EnablePolicyType
$.eventName=InviteAccountToOrganization
$.eventName=LeaveOrganization
$.eventName=MoveAccount
$.eventName=RemoveAccountFromOrganization
$.eventName=UpdatePolicy
$.eventName=UpdateOrganizationalUnit