Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate unauthorised-api-calls alarms and take action to reduce noise #9207

Open
3 tasks
richgreen-moj opened this issue Feb 5, 2025 · 0 comments
Open
3 tasks

Investigate unauthorised-api-calls alarms and take action to reduce noise #9207

richgreen-moj opened this issue Feb 5, 2025 · 0 comments
Labels
needs refining security

Comments

@richgreen-moj
Copy link
Contributor

User Story

As a MP Engineer
I want to investigate the cause behind the large amount of unauthorised-api-calls alarm triggers
So that I can reduce the noise in the #modernisation-platform-low-priority-alarms slack channel

Value / Purpose

The aim of this ticket is to review the unauthorised-api-calls alarm which is being triggered in many different accounts and try to understand why it is triggered so often. Then next steps are to decide on the best course of action which could include resolving the root cause or simply altering the threshold of the alarm.

Ideally we want to be able to proactively monitor the #modernisation-platform-low-priority-alarms slack channel but there is currently too much noise for it to be reasonable to do so.

Context / Background

https://mojdt.slack.com/archives/C013RM6MFFW/p1738592534773869 << Slack thread for extra context

https://moj-digital-tools.pagerduty.com/service-directory/PYDTWVM << PagerDuty incidents raised by the alarm

You can review the cloudwatch logs to see what is triggering the alarms in each account and see if there are any common issues. This could just be as simple as members not giving their workloads the appropriate IAM permissions to access certain resources/services etc. It would be interesting to see if it there are any platform-provisioned assets that are creating the problem as they would be more in our wheel-house to fix.

Useful Contacts

@richgreen-moj

Additional Information

https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html#cloudwatch-2 << this shows the reason for the alarm being set in the first place (CIS recommendation) ....

CIS recommends that you create a metric filter and alarm unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity.

Definition of Done

  • Review unauthorised-api-calls incidents and associated cloudwatch logs to search for any common patterns etc.
  • Based on findings raise issues to fix underlying issues (or just fix if there's a simple win)
  • Consider altering the threshold for the alarm to a more appropriate value
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs refining security
Projects
Modernisation Platform
Status: To Do
Milestone
No milestone
Development

No branches or pull requests
1 participant
@richgreen-moj