This rule ensures the presence of a log metric filter and alarm for customer created CMKs scheduled deletion.
Rule | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
Framework | cis_v130 |
Severity | ✔ Low |
Rule Description: Log Metric Filter and Alarm for Disabling or Scheduled Deletion of Customer Created CMKs
This rule ensures that a log metric filter and alarm are created in order to capture any attempts of disabling or scheduling deletion for customer created Customer Master Keys (CMKs) in the CIS AWS Foundation Benchmark v1.3.0.
Policy Details:
Rule Remediation:
Follow these steps to implement the necessary components to fulfill this rule.
Step 1: Create a Log Metric Filter:
Go to the Amazon CloudWatch console: https://console.aws.amazon.com/cloudwatch/.
In the navigation pane, click on "Log groups" and locate the relevant CloudTrail log group (e.g.,
/aws/cloudtrail/<your-cloudtrail-log-group>
).Click on the log group to open its details.
In the "Actions" dropdown, select "Create Metric Filter."
Specify a filter pattern that will match the CMK disable or scheduled deletion events. For example, you can use the following pattern:
{($.eventName = "DisableKey" || $.eventName = "ScheduleKeyDeletion") && $.errorString NOT EXISTS && $.additionalEventData.principalId NOT EXISTS}
This pattern captures the events where a customer user (
$.additionalEventData.principalId
) disables or schedules deletion of a CMK.Click on "Assign Metric" and create a new metric namespace with an appropriate name, like
CMKDisableDeleteMetric
.Choose a metric value, such as
1
, to indicate each occurrence of the filter pattern.Click on "Create Filter."
Step 2: Create an Alarm for the Log Metric Filter:
CMKDisableDeleteMetric
, and select it.1
to trigger the alarm for every occurrence of the filter.Troubleshooting Steps:
In case the log metric filter or alarm is not functioning as expected, consider the following troubleshooting steps:
It is recommended to regularly monitor the execution of this rule to ensure ongoing compliance with the CIS AWS Foundation Benchmark.
Related CLI Commands:
There are no specific CLI commands required to implement this rule. However, you may use the AWS CLI to automate the creation and management of CloudWatch log metric filters and alarms.
Note: Ensure that you have the necessary permissions to create and configure log metric filters and alarms in CloudWatch.