Rules for configuring AWS to assist with monitoring and responding to account activities.

Rule Name


Ensure recommended metric-filters and alarms are implemented on Multi-region CloudTrail (3.1 to 3.13)

It is strongly recommended that a metric filter and alarm be established for detecting:

  • Unauthorized API calls
  • Console logins that are not protected by MFA
  • Root login attempts
  • Changes made to Identity
  • Access Management (IAM) policies
  • Changes to CloudTrail's configurations
  • Failed console authentication attempts
  • Customer-created CMKs which have changed state to disabled or scheduled deletion
  • Changes to S3 buckets
  • Changes to AWS Config configuration
  • Changes made to Security Groups
  • Changes made to NACLs
  • Changes to the network
  • Changes to route tables
  • Changes made to VPCs.

What’s Next