Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm exist for S3 bucket policy changes

This rule ensures a log metric filter and alarm exist for S3 bucket policy changes.

RuleEnsure a log metric filter and alarm exist for S3 bucket policy changes
Frameworkcis_v130
Severity
Low

Rule Description:

The rule ensures that a log metric filter and alarm are created to track and monitor any changes made to the S3 bucket policies. This is to comply with the cis_v130 benchmark for AWS.

Troubleshooting Steps:

If the log metric filter and alarm do not exist, or if they are not working as expected, follow these troubleshooting steps:

  1. 1.

    Verify S3 Bucket Policy Changes Log Group: Check if a CloudWatch log group is configured to capture S3 bucket policy changes. If not, you need to create one.

  2. 2.

    Confirm Log Metric Filter: Ensure that a log metric filter is set up correctly in the CloudWatch log group. The filter should capture entries related to S3 bucket policy changes.

  3. 3.

    Verify Alarm Configuration: Check if an alarm is configured to monitor the log metric filter for S3 bucket policy changes. Ensure that the alarm is set to trigger when there are any policy changes.

  4. 4.

    Check Permissions: Make sure that the IAM role or user associated with the CloudWatch log group, log metric filter, and alarm has the necessary permissions to access S3 bucket policies and trigger alarms.

  5. 5.

    Test Event Generation: Verify that the log metric filter is generating the expected events when a policy change occurs. You can make a sample S3 bucket policy change and check if the log metric filter captures it.

  6. 6.

    Check Alarm State: Ensure that the alarm state is accurate and reflects the changes in the S3 bucket policy. If the alarm state is not as expected, review the alarm configuration and adjust it accordingly.

Necessary Codes:

There are no specific codes required for this rule. However, you may need to use AWS CLI or SDKs to create and configure the CloudWatch log group, log metric filter, and alarm if they are not already set up.

Step-by-Step Guide for Remediation:

Follow the steps below to implement the necessary configuration for monitoring and tracking S3 bucket policy changes:

  1. 1.

    Create a Log Group for S3 Bucket Policy Changes:

    • Sign in to the AWS Management Console.
    • Open the CloudWatch service.
    • In the left navigation pane, click on "Log groups."
    • Click on the "Create log group" button.
    • Provide a name for the log group, such as "S3BucketPolicyChanges" or any name of your choice.
    • Click on "Create log group" to create the log group.
  2. 2.

    Configure Log Metric Filter:

    • Select the newly created log group "S3BucketPolicyChanges".
    • In the log group details, click on the "Create metric filter" button.
    • In the "Create metric filter" wizard, provide a filter pattern to match the S3 bucket policy change entries.
    • Ensure that the filter pattern is correctly defined to capture S3 bucket policy changes.
    • Define a metric namespace and a metric name for the log metric filter.
    • Click on "Test pattern" to verify that the filter matches the S3 bucket policy change events.
    • Click on "Assign metric" and choose the metric namespace and name created earlier.
    • Click on "Create filter" to finish configuring the log metric filter.
  3. 3.

    Configure Alarm for Log Metric Filter:

    • In the CloudWatch service console, go to the "Alarms" section.
    • Click on the "Create alarm" button.
    • In the "Create alarm" wizard, select the previously created metric namespace and name.
    • Configure the alarm criteria based on your desired conditions for policy changes.
    • Set the actions to be triggered when the alarm state changes.
    • Provide a name and description for the alarm.
    • Click on "Create alarm" to complete the alarm configuration.

Once the log metric filter and alarm are set up, they will start capturing and monitoring the S3 bucket policy changes. You should receive notifications or take appropriate actions as configured in the alarm settings.

Is your System Free of Underlying Vulnerabilities?
Find Out Now