Ensure a Log Metric Filter and Alarm Rule for NACL Changes

Rule Description:

Troubleshooting Steps:

2. 1.

   Ensure that the specified NACLs are properly configured and associated with the relevant subnets and VPCs.

4. 2.

   Verify that the necessary VPC flow logs are enabled to capture the required network traffic.

6. 3.

   Check CloudWatch Logs for any errors related to the log metric filter.

8. 4.

   Ensure that the IAM roles and permissions are correctly configured to allow the creation and management of log metric filters and alarms.

Necessary Codes:

2. 1.
   Log Metric Filter:

{
    "Filters": [
        {
            "Pattern": "{($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = CreateNetworkAcl) || ($.eventName = ReplaceNetworkAcl) || ($.eventName = DeleteNetworkAcl)) && (($.requestParameters == \"null\")
            {
                "logGroupName": "your-log-group-name",
                "metricTransformations": [
                    {
                        "metricNamespace": "CloudTrailMetrics",
                        "metricValue": "1",
                        "metricName": "NACLChanges"
                    }
                ]
            }
        }
    ],
    "LogGroupName": "your-log-group-name"
}

2. 1.
   CloudWatch Alarm:

{
    "AlarmName": "NACLChangesAlarm",
    "MetricName": "NACLChanges",
    "Namespace": "CloudTrailMetrics",
    "Statistic": "Sum",
    "Period": 300,
    "EvaluationPeriods": 1,
    "Threshold": 1,
    "ComparisonOperator": "GreaterThanOrEqualToThreshold",
    "AlarmDescription": "Alarm triggered when any changes occur in Network Access Control Lists (NACLs).",
    "TreatMissingData": "notBreaching",
    "Metrics": [
        {
            "Id": "m1",
            "Expression": "SUM(METRICS('CloudTrailMetrics', 'NACLChanges', 'LogGroupName', 'your-log-group-name'), 300)"
        }
    ],
    "ActionsEnabled": true,
    "AlarmActions": [
        "your-sns-topic-arn"
    ]
}

Remediation Steps:

2. 1.

   Validate Log Metric Filter:

   • Check if the log metric filter JSON is correctly configured and valid.
   • Open the CloudWatch console.
   • Go to "Metrics" and select the "Log groups" tab.
   • Locate and select the log group associated with your NACL logs.
   • Click on the "Filter" dropdown and choose "Metric Filters".
   • Verify that the log metric filter for NACL changes is present and has the correct filter pattern.
4. 2.

   Validate CloudWatch Alarm:

   • Open the CloudWatch console.
   • Go to "Alarms" and search for the "NACLChangesAlarm" alarm.
   • Ensure that the alarm exists and is in an "OK" state.
   • Verify that the alarm notification is correctly configured to send alerts to the desired SNS topic.
6. 3.

   Troubleshoot Log Metric Filter (if necessary):

   • If there are no logs being captured or the filter does not work as expected, review the filter pattern and ensure it matches the events related to NACL changes.
   • Check the CloudTrail logs to verify if the expected events are being recorded.
   • Make sure the log group is correctly configured and associated with the CloudTrail logs.
   • Ensure the IAM role used by CloudTrail has sufficient permissions to access the log group.
8. 4.

   Troubleshoot CloudWatch Alarm (if necessary):

   • If the CloudWatch alarm is not triggering as expected, review the alarm configuration.
   • Confirm that the metric transformation is correctly set up and sending the metric data to the CloudTrailMetrics namespace.
   • Double-check the alarm threshold, period, and comparison operator.
   • Verify that the alarm actions are properly configured and pointing to the correct SNS topic.