Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for Route Table Changes Rule

This rule ensures the existence of a log metric filter and alarm for route table changes.

Rule	Ensure a log metric filter and alarm exist for route table changes
Framework	cis_v130
Severity	✔ Low

Rule Description: Log Metric Filter and Alarm for Route Table Changes for cis_v130

Rule Overview:

This rule is designed to ensure that an appropriate log metric filter and alarm are in place to monitor route table changes in the cis_v130 environment. By implementing this rule, any modifications or updates to the route tables will trigger alerts, allowing for timely investigation and response to any unauthorized or unexpected changes.

Rule Implementation:

To implement this rule, follow the detailed steps provided below.

Step 1: Create a Log Metric Filter

1.
Log in to the AWS Management Console.

2.
Navigate to the Amazon CloudWatch service.

3.
Select "Log groups" from the sidebar menu.

4.
Locate the log group associated with the cis_v130 environment.

5.
Click on the log group name to open the log group details.

6.
Choose the "Create metric filter" button.

7.
In the "Filter pattern" input field, enter the following CloudWatch Logs filter pattern: "eventSource = ec2.amazonaws.com AND eventName = CreateRoute OR eventName = ReplaceRoute OR eventName = DeleteRoute".

8.
Specify a name for the metric filter, such as "RouteTableChangesMetricFilter".

9.
In the "Create a new metric filter" section, configure the filter to extract the necessary fields (e.g., route table ID, VPC ID).

10.
Click on the "Test pattern" button to verify that the filter correctly matches the desired events.

11.
Select "Assign a new metric" and provide a name for the metric, such as "RouteTableChangesMetric".

12.
Choose a unit and define the metric value for aggregation (e.g., count, sum, average).

13.
Confirm the configuration by clicking on the "Create filter" button.

Step 2: Create an Alarm

1.
After creating the log metric filter, navigate to the Amazon CloudWatch service page.

2.
Click on "Alarms" in the sidebar menu.

3.
Select the "Create alarm" button.

4.
In the "Create alarm" wizard, select the "Select metric" button.

5.
Choose the "RouteTableChangesMetric" metric from the list.

6.
Define the threshold for the alarm based on the desired detection criteria (e.g., number of route table changes).

7.
Set the period, evaluation periods, and actions for the alarm as per your requirements.

8.
Provide a name and description for the alarm, such as "RouteTableChangesAlarm".

9.
Optionally, configure additional actions to be taken when the alarm state changes (e.g., sending notifications, triggering AWS Lambda functions).

10.
Click on the "Create alarm" button to finalize the alarm creation.

Troubleshooting Steps (if applicable):

In case the log metric filter or alarm is not functioning as expected, follow the troubleshooting steps below:

1.
Verify that the log metric filter filter pattern is correctly defined as: "eventSource = ec2.amazonaws.com AND eventName = CreateRoute OR eventName = ReplaceRoute OR eventName = DeleteRoute".

2.
Ensure that the log group associated with the cis_v130 environment is correctly identified and selected when creating the metric filter.

3.
Double-check that the necessary fields are properly extracted and assigned when configuring the metric filter.

4.
Confirm that the log events with the relevant route table changes are present in the log group.

5.
Check if the alarm threshold and evaluation periods are appropriately set to detect route table changes.

6.
Verify that the actions associated with the alarm are correctly configured (e.g., notification recipients, AWS Lambda functions).

If the issue persists after following the troubleshooting steps, review the CloudWatch Logs, log group, metric filter, and alarm configurations for any potential errors or inconsistencies.

Additional Notes (if applicable):

Ensure that appropriate permissions are granted to the AWS Identity and Access Management (IAM) user/role used for log metric filter and alarm configuration.
Regularly monitor the alarm state and review the corresponding logs to promptly identify and respond to any unauthorized or unexpected route table changes.

Ensure a Log Metric Filter and Alarm Exist for Route Table Changes Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Overview:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rule Implementation:

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 1: Create a Log Metric Filter

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 2: Create an Alarm

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps (if applicable):

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Additional Notes (if applicable):

Is your System Free of Underlying Vulnerabilities? Find Out Now