You can remediate monitoring policies easily with the Quick Wins script. The script creates metrics and alarms for various events in your Amazon Web Services (AWS) account.

• See the 17 monitoring security policies remediated
  Policy Title 1

  Category Name

  Ensure a log metric filter and alarm exist for AWS Config configuration changes

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for changes to network gateways

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for CloudTrail configuration changes

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for IAM policy changes

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for Management Console sign-in without MFA

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for route table changes

  AWS - Monitoring

  Ensure a log metric filter and alarm exist for S3 bucket object read operations

  AWS - Monitoring

  1 to 10 of 17

  Page 1 of 2

  Close

To create metrics and alarms for various events in your AWS account:

1. Log in to the AWS portal as an AWS Administrator.
2. Open AWS CloudShell.
3. Download the script from GitHub using the following command:

wget https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/aws-alarms-quickwin/remediate-monitoring-policies.yml -O remediate-monitoring-policies.yml

4. Run the quick wins script by using the following command:

aws cloudformation deploy --template-file remediate-monitoring-policies.yml --stack-name <stack-name> --parameter-overrides env=<environment-prefix> region=<region-name> awsaccountid=<12-digit AWS account Id> emailid=<email-id where you wish to receive notifications> --capabilities CAPABILITY_NAMED_IAM

• stack-name: The stack name of the created stack.
• env: Environment prefix, such as prod.
• region: Region name where you want to deploy the resources, such as us-east-1.
• awsaccountid: 12-digit AWS ID of the account where you need to set up the alarms.
• emailid: Email address that will receive the notifications.

5. To start receiving the alarm notifications, subscribe to the SNS email request sent by AWS when running the script.

You can scan the relevant cloud account in the ZCSPM Admin Portal and view the security policy results.