Organizations changes alarm

AWS-CW-015 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if a CloudWatch metric filter and alarm exist to detect AWS Organizations changes (InviteAccountToOrganization, CreateOrganization, etc.). Without this monitoring, organizational structure changes go undetected.

Why it matters

AWS Organizations controls the structure and governance of your entire multi-account environment. Changes like removing an account from the organization, disabling Service Control Policies (SCPs), or inviting accounts from unknown entities can undermine security controls that protect all accounts. An attacker who gains access to the management account can remove SCPs to unlock previously restricted actions across all member accounts, or create new accounts outside existing governance. Organizations changes are extremely rare in production and almost always indicate either a planned administrative action or a serious security incident. The broad filter pattern (all organizations.amazonaws.com events) is intentional because any Organizations API call warrants investigation.

Common causes

Organizations changes are typically made by a small number of administrators, so monitoring is often informally managed through verbal communication rather than automated alerting. The management account may have less monitoring than workload accounts because it is considered an administrative account. Teams that use Organizations primarily for consolidated billing may not realize the security implications of SCPs, delegated administrators, and account management APIs.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Create metric filter:
aws logs put-metric-filter \
  --log-group-name <CLOUDTRAIL_LOG_GROUP> \
  --filter-name CIS-4.15 \
  --filter-pattern '{ ($.eventSource = organizations.amazonaws.com) }' \
  --metric-transformations metricName=CIS-4-15,metricNamespace=CISBenchmark,metricValue=1
# Create alarm:
aws cloudwatch put-metric-alarm \
  --alarm-name CIS-4.15 \
  --metric-name CIS-4-15 \
  --namespace CISBenchmark \
  --statistic Sum --period 300 --threshold 1 \
  --comparison-operator GreaterThanOrEqualToThreshold \
  --evaluation-periods 1 \
  --alarm-actions <SNS_TOPIC_ARN>

Remediation: Terraform

resource "aws_cloudwatch_log_metric_filter" "cis_4_15" {
  name           = "CIS-4.15"
  log_group_name = aws_cloudwatch_log_group.cloudtrail.name
  pattern        = "{ ($.eventSource = organizations.amazonaws.com) }"

  metric_transformation {
    name      = "CIS-4-15"
    namespace = "CISBenchmark"
    value     = "1"
  }
}

resource "aws_cloudwatch_metric_alarm" "cis_4_15" {
  alarm_name          = "CIS-4.15"
  metric_name         = "CIS-4-15"
  namespace           = "CISBenchmark"
  statistic           = "Sum"
  period              = 300
  threshold           = 1
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 1
  alarm_actions       = [aws_sns_topic.alerts.arn]
}

Compliance mapping

This check maps to CIS 4.15 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.