Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for IAM Policy Changes Rule

This rule ensures the presence of a log metric filter and alarm for monitoring IAM policy changes.

RuleEnsure a log metric filter and alarm exist for IAM policy changes
Frameworkcis_v130
Severity
Low

Rule Description

This rule ensures that a log metric filter and corresponding alarm are in place to detect any changes made to the IAM policies within the AWS environment, in compliance with CIS Benchmark version 1.3.0 (cis_v130). IAM policy changes refer to modifications, additions, or deletions made to the permissions and access control policies governing AWS resources and services.

Troubleshooting Steps

If the log metric filter and alarm for IAM policy changes are not present, the following troubleshooting steps can be taken:

  1. 1.
    Verify IAM Policy Changes: Use AWS CloudTrail service to check if there have been any recent IAM policy changes. This can help identify if new IAM policies were added, existing policies were modified, or policies were removed.
  2. 2.
    Check CloudTrail Logs: Ensure that CloudTrail logs are being collected and stored in an S3 bucket for analysis. If the logs are missing or not being stored properly, adjust the CloudTrail settings to capture the necessary information.
  3. 3.
    Review IAM Role Permissions: Verify that the IAM role associated with CloudTrail has the necessary permissions to access the required S3 bucket for log storage. Adjust the role permissions if necessary.
  4. 4.
    Update/Create Log Metric Filter and Alarm: If the log metric filter and alarm do not exist, follow the steps below to create them.

CloudFormation Template

The following CloudFormation template provides the necessary code to create the log metric filter and alarm:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  IAMPolicyChangeLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/iam/IAMPolicyChange
  IAMPolicyChangeMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      LogGroupName: !Ref IAMPolicyChangeLogGroup
      FilterPattern: '{ ($.eventName = PutGroupPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = PutRolePolicy) || ($.eventName = RemoveUserFromGroup) || ($.eventName = AddUserToGroup) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreateUser) || ($.eventName = DeleteUser) }'
      MetricTransformations:
        - MetricName: IAMPolicyChanges
          MetricNamespace: CloudTrailMetrics
          MetricValue: "1"
  IAMPolicyChangeAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: IAMPolicyChangeAlarm
      AlarmDescription: This alarm is triggered when IAM policy changes are detected.
      Namespace: AWS/Logs
      MetricName: IAMPolicyChanges
      Dimensions:
        - Name: LogGroupName
          Value: !Ref IAMPolicyChangeLogGroup
      AlarmActions:
        - <INSERT SNS TOPIC ARN HERE>
      Statistic: Sum
      Period: 300
      EvaluationPeriods: 1
      Threshold: 1
      ComparisonOperator: GreaterThanOrEqualToThreshold
      TreatMissingData: ignore

Step-by-Step Guide for Remediation

Follow the steps below to create the log metric filter and alarm using the AWS Management Console:

  1. 1.
    Sign in to the AWS Management Console.
  2. 2.
    Navigate to the AWS CloudFormation service.
  3. 3.
    Click on "Create stack" and select "With new resources (standard)".
  4. 4.
    Choose "Amazon S3 URL" as the template source and enter the URL of the CloudFormation template with the IAM policy change log metric filter and alarm code.
  5. 5.
    Click "Next" and provide a stack name, e.g., "IAMPolicyChangeDetection".
  6. 6.
    Adjust any other stack settings as necessary and click "Next".
  7. 7.
    Review the stack details and click "Create stack" to initiate the creation process.
  8. 8.
    Wait for the stack creation to complete. This may take a few minutes.
  9. 9.
    Once the stack has been successfully created, additional resources, such as a CloudWatch log group, metric filter, and alarm, will be provisioned automatically.
  10. 10.
    To validate the setup, open the CloudWatch service from the AWS Management Console.
  11. 11.
    Locate the IAMPolicyChangeAlarm and ensure its state is "OK".
  12. 12.
    Test the alarm by making a sample IAM policy change and confirm that the alarm is triggered.

By following these steps, you will have successfully implemented the log metric filter and alarm to detect any IAM policy changes in your AWS environment. Monitoring and addressing these changes promptly can help maintain security and compliance within your organization.

Is your System Free of Underlying Vulnerabilities?
Find Out Now