Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for CloudTrail Configuration Changes Rule

This rule ensures the presence of a log metric filter and alarm for CloudTrail configuration changes.

RuleEnsure a log metric filter and alarm exist for CloudTrail configuration changes
Frameworkcis_v130
Severity
Low

Rule Description:

This rule ensures that a log metric filter and alarm are configured for monitoring CloudTrail configuration changes according to the CIS (Center for Internet Security) benchmark version 1.3.0 (cis_v130).

Troubleshooting Steps (if applicable):

If the log metric filter and alarm for CloudTrail configuration changes are missing or not properly configured, follow these troubleshooting steps:

  1. 1.
    Verify that CloudTrail is enabled in your AWS account. If it is not enabled, follow the AWS documentation to enable CloudTrail.
  2. 2.
    Check if there are any existing log metric filters and alarms related to CloudTrail configuration changes. Ensure that they are properly configured and working as expected.
  3. 3.
    Review the AWS CloudTrail configuration details to ensure all required events including configuration changes are being logged.
  4. 4.
    Verify the IAM role used by CloudTrail has the necessary permissions to publish logs to CloudWatch and create alarms.
  5. 5.
    If any issues are detected, make necessary adjustments to the log metric filter and alarm configurations.

Necessary Codes (if applicable):

There are no specific codes required for this rule. However, you may need to use AWS CLI commands or CloudFormation templates, depending on the remediation steps mentioned below.

Remediation Steps:

Follow these step-by-step instructions to remediate the rule if it is flagged as non-compliant:

  1. 1.
    Open the AWS Management Console and navigate to the CloudWatch service.
  2. 2.
    In the left navigation pane, click on "Logs" and select the appropriate CloudTrail log group.
  3. 3.
    Click on "Create metric filter" to create a new metric filter.
  4. 4.
    Provide a descriptive filter pattern, such as:
{($.eventName = "UpdateTrail") || ($.eventName = "CreateTrail") || ($.eventName = "DeleteTrail")}
  1. 1.
    Select the log group for sending these logs to CloudWatch Metrics.
  2. 2.
    Configure the filter name and metric namespace accordingly.
  3. 3.
    Choose a suitable metric value (e.g., 1) and click on "Create filter".
  4. 4.
    Return to the CloudWatch service homepage and click on "Alarms".
  5. 5.
    Click on "Create alarm" to create a new alarm.
  6. 6.
    Select the previously created metric filter as the "Specific metric".
  7. 7.
    Set the appropriate threshold, period, and actions for the alarm.
  8. 8.
    Provide a descriptive alarm name and description.
  9. 9.
    Review the alarm settings and click on "Create alarm" to save the changes.

Once the above steps are completed, a log metric filter and alarm will be in place to monitor CloudTrail configuration changes as per the CIS benchmark (cis_v130). Any subsequent changes to the CloudTrail configuration will trigger the alarm, allowing you to take necessary actions to mitigate potential security risks.

Note: Remember to periodically review and update the alarm settings as needed to align with your organization's security requirements and compliance standards.

Is your System Free of Underlying Vulnerabilities?
Find Out Now