Ensure a Log Metric Filter and Alarm Exist for Changes to Network Gateways Rule
This rule ensures the presence of a log metric filter and alarm for any changes made to network gateways.
| Rule | Ensure a log metric filter and alarm exist for changes to network gateways |
| Framework | cis_v130 |
| Severity | ✔ Low |
Rule Description
This rule ensures the presence of a log metric filter and alarm for changes to network gateways for cis_v130 compliance. The purpose of this rule is to monitor and detect any modifications made to network gateways in order to maintain the security and integrity of the network infrastructure.
Troubleshooting Steps
If the log metric filter and alarm for changes to network gateways are not present, you can follow these troubleshooting steps to resolve the issue:
- 1.
Verify Permissions: Ensure that you have the necessary permissions to create log metric filters and alarms. Check if you have the required IAM (Identity and Access Management) permissions to interact with CloudWatch Logs and CloudWatch Alarms.
- 2.
Check Region: Make sure you are working in the correct AWS region where the network gateways are located. Different regions may have different resources or configurations.
- 3.
Check Resource Tags: If you are using resource tags for grouping or organizing resources, ensure that the network gateways have the appropriate tags assigned. Resource tags are often used to filter and match specific resources for applying rules and policies.
- 4.
Review Log Metric Filter: Verify if the log metric filter is properly configured to capture changes to network gateways. Check the filter pattern and ensure it accurately matches the desired log events related to network gateway changes.
- 5.
Validate Alarm Configuration: Review the alarm configuration and ensure it is set to trigger based on the log metric filter's results. Verify the alarm threshold, actions to be taken when triggered, and notification recipients.
- 6.
Confirm Log Group: Check if the log metric filter is associated with the correct log group that contains logs for the network gateways. Ensure the log group has the necessary log streams and log events are being ingested.
- 7.
Check CloudWatch Logs Agent: If you are using the CloudWatch Logs agent running on EC2 instances, ensure it is properly configured and sending logs to the designated log group. Verify the agent's configuration file for any inconsistencies or errors.
- 8.
Monitor and Debug: Keep an eye on the CloudWatch Logs console for any error messages or warnings related to log ingestion, log metric filter, or alarm creation. These logs can provide valuable insights into any issues that need to be resolved.
Necessary Codes (if applicable)
There are no specific codes required for this rule. However, you will need to utilize AWS CLI commands to create and configure the log metric filter and alarm. The necessary commands are provided below.
Step-by-Step Guide for Remediation
Follow these steps to remediate and ensure the presence of a log metric filter and alarm for changes to network gateways:
- 1.
Open your preferred command-line interface and ensure the AWS CLI is installed and configured with appropriate credentials.
- 2.
Create a Log Metric Filter:
Run the following AWS CLI command to create a log metric filter:
aws logs put-metric-filter --log-group-name <log-group-name> --filter-name <filter-name> --filter-pattern <filter-pattern> --metric-transformations metricName=<metric-name>,metricNamespace=<metric-namespace>,metricValue=<metric-value>Replace
with the name or ARN (Amazon Resource Name) of the log group containing the network gateway logs.<log-group-name>Provide a
to uniquely identify the log metric filter.<filter-name>Specify the
to match the log events related to network gateway changes.<filter-pattern>Set
,<metric-name>
, and<metric-namespace>
to appropriate values for metric transformation.<metric-value>
- 3.
Create an Alarm:
Execute the following AWS CLI command to create an alarm for the log metric filter:
aws cloudwatch put-metric-alarm --alarm-name <alarm-name> --comparison-operator <comparison-operator> --evaluation-periods <evaluation-periods> --metric-name <metric-name> --namespace <metric-namespace> --period <period> --statistic <statistic> --threshold <threshold> --actions-enabled --alarm-actions <alarm-action-arns> --dimensions <dimensions>Replace
with a suitable name for the alarm.<alarm-name>Choose a
based on the criteria for triggering the alarm (e.g., GreaterThanOrEqualToThreshold).<comparison-operator>Set
to the desired number of periods to evaluate before triggering the alarm.<evaluation-periods>Provide the
and<metric-name>
used in the log metric filter.<metric-namespace>Specify the
(in seconds) for the alarm.<period>Select an appropriate
for the alarm (e.g., SampleCount, Average, etc.).<statistic>Set the
value to determine when the alarm should trigger.<threshold>Enable actions for the alarm using
.--actions-enabledSpecify
(e.g., SNS topic ARN) for actions when the alarm state is triggered.<alarm-action-arns>Optionally, include any relevant dimensions using
(e.g., gateway ID, VPC ID) for more specific filtering.--dimensions
- 4.
Validate and Test:
- Verify that the log metric filter and alarm are created successfully by checking the AWS CloudWatch console.
- Generate some test network gateway change events to ensure the log metric filter captures them.
- Monitor the alarm status to validate if it triggers based on the configured thresholds.
- Adjust the alarm's threshold or parameters if necessary for your specific requirements.
By following these steps, you will ensure the log metric filter and alarm exist for changes to network gateways, facilitating compliance with cis_v130 requirements.