Ensure a Log Metric Filter and Alarm Exist for Disabling or Scheduled Deletion of Customer Created CMKs Rule
This rule ensures the presence of a log metric filter and alarm for customer created CMKs scheduled deletion.
| Rule | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs |
| Framework | cis_v130 |
| Severity | ✔ Low |
Rule Description: Log Metric Filter and Alarm for Disabling or Scheduled Deletion of Customer Created CMKs
This rule ensures that a log metric filter and alarm are created in order to capture any attempts of disabling or scheduling deletion for customer created Customer Master Keys (CMKs) in the CIS AWS Foundation Benchmark v1.3.0.
Policy Details:
- 1.Policy ID: cis_v130_cmk_disable_scheduled_deletion
- 2.Description: This policy ensures the presence of a log metric filter and alarm to monitor and alert on any interactions related to disabling or scheduling deletion of customer created CMKs.
- 3.Compliance Standards: CIS AWS Foundation Benchmark v1.3.0
Rule Remediation:
Follow these steps to implement the necessary components to fulfill this rule.
Step 1: Create a Log Metric Filter:
- 1.
Go to the Amazon CloudWatch console: https://console.aws.amazon.com/cloudwatch/.
- 2.
In the navigation pane, click on "Log groups" and locate the relevant CloudTrail log group (e.g.,
)./aws/cloudtrail/<your-cloudtrail-log-group> - 3.
Click on the log group to open its details.
- 4.
In the "Actions" dropdown, select "Create Metric Filter."
- 5.
Specify a filter pattern that will match the CMK disable or scheduled deletion events. For example, you can use the following pattern:
{($.eventName = "DisableKey" || $.eventName = "ScheduleKeyDeletion") && $.errorString NOT EXISTS && $.additionalEventData.principalId NOT EXISTS}This pattern captures the events where a customer user (
) disables or schedules deletion of a CMK.$.additionalEventData.principalId - 6.
Click on "Assign Metric" and create a new metric namespace with an appropriate name, like
.CMKDisableDeleteMetric - 7.
Choose a metric value, such as
, to indicate each occurrence of the filter pattern.1 - 8.
Click on "Create Filter."
Step 2: Create an Alarm for the Log Metric Filter:
- 1.In the CloudWatch console, click on the "Alarms" section in the navigation pane.
- 2.Click on the "Create Alarm" button.
- 3.Under the "Create Alarm" tab, choose "Select metric"
- 4.Search for the metric namespace created in Step 1, e.g.,
, and select it.CMKDisableDeleteMetric - 5.Define the conditions for the alarm based on your specific requirements. For example, you can set the "Threshold type" to "Static" and specify a threshold value of
to trigger the alarm for every occurrence of the filter.1 - 6.Configure the actions to be taken when the alarm is triggered (e.g., sending notifications via email, SNS topic, etc.).
- 7.Click on "Create Alarm."
Troubleshooting Steps:
In case the log metric filter or alarm is not functioning as expected, consider the following troubleshooting steps:
- 1.Ensure that CloudTrail logging is enabled for the region where the CMKs are created or deleted.
- 2.Check if the log group associated with CloudTrail is correctly specified in the log metric filter.
- 3.Verify that the filter pattern used in the log metric filter matches the events representing CMK disable or scheduled deletion correctly.
- 4.Confirm that the alarm threshold is set appropriately, considering the expected frequency of CMK disable or deletion events.
- 5.Review the CloudWatch metrics and logs for any errors or inconsistencies.
It is recommended to regularly monitor the execution of this rule to ensure ongoing compliance with the CIS AWS Foundation Benchmark.
Related CLI Commands:
There are no specific CLI commands required to implement this rule. However, you may use the AWS CLI to automate the creation and management of CloudWatch log metric filters and alarms.
Note: Ensure that you have the necessary permissions to create and configure log metric filters and alarms in CloudWatch.