This rule ensures a log metric filter and alarm exist for S3 bucket policy changes.
Rule | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
Framework | cis_v130 |
Severity | ✔ Low |
Rule Description:
The rule ensures that a log metric filter and alarm are created to track and monitor any changes made to the S3 bucket policies. This is to comply with the cis_v130 benchmark for AWS.
Troubleshooting Steps:
If the log metric filter and alarm do not exist, or if they are not working as expected, follow these troubleshooting steps:
Verify S3 Bucket Policy Changes Log Group: Check if a CloudWatch log group is configured to capture S3 bucket policy changes. If not, you need to create one.
Confirm Log Metric Filter: Ensure that a log metric filter is set up correctly in the CloudWatch log group. The filter should capture entries related to S3 bucket policy changes.
Verify Alarm Configuration: Check if an alarm is configured to monitor the log metric filter for S3 bucket policy changes. Ensure that the alarm is set to trigger when there are any policy changes.
Check Permissions: Make sure that the IAM role or user associated with the CloudWatch log group, log metric filter, and alarm has the necessary permissions to access S3 bucket policies and trigger alarms.
Test Event Generation: Verify that the log metric filter is generating the expected events when a policy change occurs. You can make a sample S3 bucket policy change and check if the log metric filter captures it.
Check Alarm State: Ensure that the alarm state is accurate and reflects the changes in the S3 bucket policy. If the alarm state is not as expected, review the alarm configuration and adjust it accordingly.
Necessary Codes:
There are no specific codes required for this rule. However, you may need to use AWS CLI or SDKs to create and configure the CloudWatch log group, log metric filter, and alarm if they are not already set up.
Step-by-Step Guide for Remediation:
Follow the steps below to implement the necessary configuration for monitoring and tracking S3 bucket policy changes:
Create a Log Group for S3 Bucket Policy Changes:
Configure Log Metric Filter:
Configure Alarm for Log Metric Filter:
Once the log metric filter and alarm are set up, they will start capturing and monitoring the S3 bucket policy changes. You should receive notifications or take appropriate actions as configured in the alarm settings.