This rule ensures the presence of a log metric filter and alarm for monitoring IAM policy changes.
Rule | Ensure a log metric filter and alarm exist for IAM policy changes |
Framework | cis_v130 |
Severity | ✔ Low |
Rule Description
This rule ensures that a log metric filter and corresponding alarm are in place to detect any changes made to the IAM policies within the AWS environment, in compliance with CIS Benchmark version 1.3.0 (cis_v130). IAM policy changes refer to modifications, additions, or deletions made to the permissions and access control policies governing AWS resources and services.
Troubleshooting Steps
If the log metric filter and alarm for IAM policy changes are not present, the following troubleshooting steps can be taken:
CloudFormation Template
The following CloudFormation template provides the necessary code to create the log metric filter and alarm:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
IAMPolicyChangeLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/iam/IAMPolicyChange
IAMPolicyChangeMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref IAMPolicyChangeLogGroup
FilterPattern: '{ ($.eventName = PutGroupPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = PutRolePolicy) || ($.eventName = RemoveUserFromGroup) || ($.eventName = AddUserToGroup) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreateUser) || ($.eventName = DeleteUser) }'
MetricTransformations:
- MetricName: IAMPolicyChanges
MetricNamespace: CloudTrailMetrics
MetricValue: "1"
IAMPolicyChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: IAMPolicyChangeAlarm
AlarmDescription: This alarm is triggered when IAM policy changes are detected.
Namespace: AWS/Logs
MetricName: IAMPolicyChanges
Dimensions:
- Name: LogGroupName
Value: !Ref IAMPolicyChangeLogGroup
AlarmActions:
- <INSERT SNS TOPIC ARN HERE>
Statistic: Sum
Period: 300
EvaluationPeriods: 1
Threshold: 1
ComparisonOperator: GreaterThanOrEqualToThreshold
TreatMissingData: ignore
Step-by-Step Guide for Remediation
Follow the steps below to create the log metric filter and alarm using the AWS Management Console:
By following these steps, you will have successfully implemented the log metric filter and alarm to detect any IAM policy changes in your AWS environment. Monitoring and addressing these changes promptly can help maintain security and compliance within your organization.