Ensure that there is an Amazon CloudWatch alarm implemented within your AWS Master account that is triggered each time an administrator-specific action occurs within your AWS Organizations.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using Amazon CloudWatch alarms to detect administrator-specific changes such as create organization, delete organization, create new accounts within an organization or remove a member account from an organization is considered best practice and can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches. This monitoring technique helps you to ensure that any unexpected changes performed within your AWS Organizations can be investigated and any unwanted changes can be rolled back.
Note 1: Enabling CloudWatch alarms to detect changes performed within your AWS organization is required only for the Master account available in the organization.
Note 2: For this rule, Cloud Conformity assumes that the CloudTrail service is already enabled to stream event log data to CloudWatch within your AWS account, otherwise see this rule to enable AWS Cloudtrail – CloudWatch integration.
Note 3: Currently, AWS Organizations is hosted in only the US East (N. Virginia) Region even though it is available globally. To perform the steps, you must configure the AWS Management Console/CLI to use that region.
Audit
To determine if there are any CloudWatch alarms set up to monitor your Amazon Organizations changes, perform the following actions:
Remediation / Resolution
Step 1: Create a Simple Notification Service (SNS) topic and the necessary subscription to send notifications whenever the appropriate AWS CloudWatch alarm is triggered:
Step 2: Create the necessary metric filter and the CloudWatch alarm that will fire and send email notifications whenever an administrator-specific change is made within your Amazon Organizations:
References
- AWS Documentation
- Monitor the Activity in Your Organization
- AWS Organizations API Reference
- Amazon CloudWatch Concepts
- Creating Amazon CloudWatch Alarms
- Create a Topic
- Subscribe to a Topic
- AWS Command Line Interface (CLI) Documentation
- put-metric-filter
- cloudwatch
- describe-alarms-for-metric
- put-metric-alarm
- logs
- sns
- create-topic
- subscribe
- confirm-subscription