View a markdown version of this page

Security monitoring for AWS CloudHSM - AWS Prescriptive Guidance

Security monitoring for AWS CloudHSM

By default, AWS CloudHSM collects your HSM audit logs and sends them to Amazon CloudWatch Logs on your behalf. Security-related events are also included in this log data. We recommend that you monitor the logs for security-related events, such as the creation or deletion of certain user types or login failures.

You cannot create an alarm directly on the log stream. First, you must set up a CloudWatch Logs metric filter, and then you can create an alarm on the metric filter.

The section describes how to configure CloudWatch metric filters and alarms for the following security-related events in AWS CloudHSM:

This section also describes how to configure an Amazon EventBridge rule for the following security-related events in AWS CloudHSM:

Creation of crypto officers (Recommended)

An AWS CloudHSM crypto officer (CO) can perform user management operations. For example, they can create and delete users, and they can change user passwords. Therefore, it is important to track and monitor the creation of new COs so that you can detect any security risks, such as unauthorized access or over-privileged permissions.

The following table shows the configuration values for the metric filter. For instructions about how to set up a metric filter, see Create a metric filter for a log group in the CloudWatch Logs documentation.

Property Value
Pattern

CN_CREATE_CO

Log group name <Name of the log group for the AWS CloudHSM cluster>
Metric name

Event count

Metric namespace <Your custom namespace>
Metric value

1

The following table shows the configuration values for the alarm. For instructions about how to set up this alarm, see Create a CloudWatch alarm based on a log group-metric filter in the CloudWatch Logs documentation.

Property Value
Namespace <Custom namespace you created for the metric filter>
Statistic

Maximum

Threshold type

Static

Whenever duration is

Greater/Equal

Than

1

Creation of crypto users (Recommended)

An AWS CloudHSM crypto user (CU) can perform key management and cryptographic operations on the HSM. Therefore, it is important to track and monitor the creation of new CUs so that you can detect any security risks, such as unauthorized usage of encryption keys or over-privileged permissions.

The following table shows the configuration values for the metric filter. For instructions about how to set up a metric filter, see Create a metric filter for a log group in the CloudWatch Logs documentation.

Property Value
Pattern

CN_CREATE_USER

Log group name <Name of the log group for the AWS CloudHSM cluster>
Metric name

Event count

Metric namespace <Your custom namespace>
Metric value

1

The following table shows the configuration values for the alarm. For instructions about how to set up this alarm, see Create a CloudWatch alarm based on a log group-metric filter in the CloudWatch Logs documentation.

Property Value
Namespace <Custom namespace you created for the metric filter>
Statistic

Maximum

Threshold type

Static

Whenever duration is

Greater/Equal

Than

1

Deletion of crypto officers or crypto users (Recommended)

Similar to tracking the creation of COs and CUs, it is important to track the deletion of these user types. Tracking user deletion can help you detect access issues and identify potential security breaches.

The following table shows the configuration values for the metric filter. For instructions about how to set up a metric filter, see Create a metric filter for a log group in the CloudWatch Logs documentation.

Property Value
Pattern

CN_DELETE_USER

Log group name <Name of the log group for the AWS CloudHSM cluster>
Metric name

Event count

Metric namespace <Your custom namespace>
Metric value

1

The following table shows the configuration values for the alarm. For instructions about how to set up this alarm, see Create a CloudWatch alarm based on a log group-metric filter in the CloudWatch Logs documentation.

Property Value
Namespace <Custom namespace you created for the metric filter>
Statistic

Maximum

Threshold type

Static

Whenever duration is

Greater/Equal

Than

1

Entry of incorrect user names (Recommended)

We recommend that you monitor login attempts with an incorrect user name. These can indicate that someone is trying to gain unauthorized access. To help prevent alert fatigue, the alarm is triggered if a user enters the wrong user name two or more times. You can configure this value as needed for your organization and policies.

The following table shows the configuration values for the metric filter. For instructions about how to set up a metric filter, see Create a metric filter for a log group in the CloudWatch Logs documentation.

Property Value
Pattern

\"Error: This user doesn't exist\"

Log group name <Name of the log group for the AWS CloudHSM cluster>
Metric name

Event count

Metric namespace <Your custom namespace>
Metric value

1

The following table shows the configuration values for the alarm. For instructions about how to set up this alarm, see Create a CloudWatch alarm based on a log group-metric filter in the CloudWatch Logs documentation.

Property Value
Namespace <Custom namespace you created for the metric filter>
Statistic

Sum

Threshold type

Static

Whenever duration is

Greater/Equal

Than

2

Entry of incorrect passwords (Recommended)

We recommend that you monitor login attempts with an incorrect password. These can indicate that someone is trying to gain unauthorized access. To help prevent alert fatigue, the alarm is triggered if a user enters the wrong password two or more times. You can configure this value as needed for your organization and policies.

The following table shows the configuration values for the metric filter. For instructions about how to set up a metric filter, see Create a metric filter for a log group in the CloudWatch Logs documentation.

Property Value
Pattern

RET_USER_LOGIN_FAILURE

Log group name <Name of the log group for the AWS CloudHSM cluster>
Metric name

Event count

Metric namespace <Your custom namespace>
Metric value

1

The following table shows the configuration values for the alarm. For instructions about how to set up this alarm, see Create a CloudWatch alarm based on a log group-metric filter in the CloudWatch Logs documentation.

Property Value
Namespace <Custom namespace you created for the metric filter>
Statistic

Sum

Threshold type

Static

Whenever duration is

Greater/Equal

Than

2

Security-related API calls (Recommended)

Monitoring the DeleteHsm, CopyBackupToRegion, and ModifyCluster API calls for AWS CloudHSM can provide critical oversight of high-impact operations. These API calls can alter the security posture and operational state of the AWS CloudHSM infrastructure.

By implementing near real-time alerts for these API calls, you can promptly detect and respond to potentially unauthorized or accidental changes to HSMs and clusters. Alarms provide notification about actions that can affect cryptographic key availability, cross-Region data transfers, or cluster configurations. Vigilance is essential to maintain the integrity and availability of sensitive cryptographic operations. Alarms help you maintain compliance with security policies and facilitate rapid incident response. Ultimately, this targeted monitoring approach enhances the overall security governance of your AWS CloudHSM resources because it provides stakeholders with timely insights into critical changes that might require immediate attention or review.

AWS CloudHSM is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service. CloudTrail captures all API calls for AWS CloudHSM as events. In Amazon EventBridge, you can create a rule that monitors CloudTrail for events associated with the DeleteHsm, CopyBackupToRegion, and ModifyCluster API calls for AWS CloudHSM. You can configure a target that will receive alerts when the event occurs. We recommend that you configure an Amazon Simple Notification Service (Amazon SNS) topic because it enables near real-time alerts when these critical operations are performed.

When you create an EventBridge rule, you can customize the text that is passed to the rule target. The input transformer extracts specific fields from the event and formats them into a concise, informative message. The resulting alert provides immediate context about the event, including the AWS account, AWS Region, specific API call, time of the event, and the identity of the user who performed the action.

To create the EventBridge rule
  1. Follow the instructions in Define the rule to enter a custom name and description for your rule.

  2. Follow the instructions in Build the event pattern. Choose Custom pattern (JSON editor), and then enter the following event pattern:

    { "source": ["aws.cloudhsm"], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": ["cloudhsm.amazonaws.com"], "eventName": ["DeleteHsm", "CopyBackupToRegion", "ModifyCluster"] } }
  3. Follow the instructions in Select targets and note the following:

    1. Choose the Amazon SNS topic that will receive events that match the specified pattern.

    2. Under Additional settings, for Configure target input, choose Input transformer.

    3. Choose Configure input transformer.

    4. In Input path, enter the following:

      { "account": "$.account", "region": "$.region", "eventName": "$.detail.eventName", "eventTime": "$.detail.eventTime", "userIdentity": "$.detail.userIdentity.arn" }
    5. In Template, enter the following:

      { "account": <account>, "region": <region>, "message": "Critical AWS CloudHSM operation detected: <eventName> was performed at <eventTime> by <userIdentity>" }
  4. Follow the instructions in Configure tags and review rule to finish creating the rule.