Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explained
Auto Checks Detailed Explanation
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Configure a log metric filter and alarm for unauthorized API calls

Framework Reference: A.8.15 (Logging & Monitoring) Integration: AWS – CloudTrail + CloudWatch

Why this matters

Unauthorized API calls are often the first indicator of misconfigurations, privilege misuse, or active attacks. By monitoring these calls in near real time, your security team can detect and respond to access violations quickly—before damage is done.

Combining CloudTrail logs with CloudWatch metric filters and alarms allows for proactive alerting when specific error codes appear, such as AccessDenied or UnauthorizedOperation.

Setting up alerts for unauthorized access attempts is essential for effective incident detection and faster investigation.

What this check does

This check verifies that:

A CloudWatch metric filter is configured to detect unauthorized API calls using CloudTrail log groups

A CloudWatch alarm is in place to notify relevant teams via SNS or another endpoint when such events occur

The check passes if both components exist and are actively monitoring.

How to fix it

You can set up the required log metric filter, SNS topic, and CloudWatch alarm via the AWS CLI or console.

Using AWS CLI

Create a metric filter for unauthorized API calls:

aws logs put-metric-filter \  --log-group-name <cloudtrail-log-group> \  --filter-name unauthorized-api-calls \  --metric-transformations metricName=UnauthorizedAPICalls,metricNamespace=Security,metricValue=1 \  --filter-pattern '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") && ($.sourceIPAddress != "delivery.logs.amazonaws.com") && ($.eventName != "HeadBucket") }' 

Create an SNS topic for alerting:

aws sns create-topic --name unauthorized-api-alerts

Subscribe your alert recipient (e.g., email, webhook):

aws sns subscribe \  --topic-arn <sns-topic-arn> \  --protocol email \  --notification-endpoint you@example.com

Create a CloudWatch alarm:

aws cloudwatch put-metric-alarm \  --alarm-name UnauthorizedAPICallAlarm \  --metric-name UnauthorizedAPICalls \  --namespace Security \  --statistic Sum \  --period 300 \  --threshold 1 \  --comparison-operator GreaterThanOrEqualToThreshold \  --evaluation-periods 1 \  --alarm-actions <sns-topic-arn>

Replace <cloudtrail-log-group>, <sns-topic-arn>, and other placeholders with values relevant to your setup.

Exceptions

If CloudTrail logs are sent to a third-party SIEM instead of CloudWatch Logs, make sure equivalent filters and alerts are configured in that platform. This check may be marked as Not Applicable if SIEM is used and documented.

Further Resources

AWS CloudWatch Integration for CloudTrail

Subscribe to an SNS Topic

Set Up Multi-Region CloudTrail Delivery

Amazon SNS Overview

Was this article helpful?

Powered by Product Fruits