Configure a log metric filter and alarm for unauthorized API calls
Why this matters
Unauthorized API calls are often the first indicator of misconfigurations, privilege misuse, or active attacks. By monitoring these calls in near real time, your security team can detect and respond to access violations quickly—before damage is done.
Combining CloudTrail logs with CloudWatch metric filters and alarms allows for proactive alerting when specific error codes appear, such as AccessDenied
or UnauthorizedOperation
.
Setting up alerts for unauthorized access attempts is essential for effective incident detection and faster investigation.
What this check does
This check verifies that:
A CloudWatch metric filter is configured to detect unauthorized API calls using CloudTrail log groups
A CloudWatch alarm is in place to notify relevant teams via SNS or another endpoint when such events occur
The check passes if both components exist and are actively monitoring.
How to fix it
You can set up the required log metric filter, SNS topic, and CloudWatch alarm via the AWS CLI or console.
Using AWS CLI
Create a metric filter for unauthorized API calls:
aws logs put-metric-filter \
--log-group-name <cloudtrail-log-group> \
--filter-name unauthorized-api-calls \
--metric-transformations metricName=UnauthorizedAPICalls,metricNamespace=Security,metricValue=1 \
--filter-pattern '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") && ($.sourceIPAddress != "delivery.logs.amazonaws.com") && ($.eventName != "HeadBucket") }'
Create an SNS topic for alerting:
aws sns create-topic --name unauthorized-api-alerts
Subscribe your alert recipient (e.g., email, webhook):
aws sns subscribe \
--topic-arn <sns-topic-arn> \
--protocol email \
--notification-endpoint you@example.com
Create a CloudWatch alarm:
aws cloudwatch put-metric-alarm \
--alarm-name UnauthorizedAPICallAlarm \
--metric-name UnauthorizedAPICalls \
--namespace Security \
--statistic Sum \
--period 300 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--alarm-actions <sns-topic-arn>
Replace
<cloudtrail-log-group>
,<sns-topic-arn>
, and other placeholders with values relevant to your setup.
Exceptions
If CloudTrail logs are sent to a third-party SIEM instead of CloudWatch Logs, make sure equivalent filters and alerts are configured in that platform. This check may be marked as Not Applicable if SIEM is used and documented.
Further Resources
AWS CloudWatch Integration for CloudTrail