Ensure a Log Metric Filter and Alarm Exist for Security Group Changes Rule
This rule ensures the presence of a log metric filter and alarm for any security group changes in the system.
| Rule | Ensure a log metric filter and alarm exist for security group changes |
| Framework | cis_v140 |
| Severity | ✔ Medium |
Ensure a Log Metric Filter and Alarm Exist for Security Group Changes (CIS v1.4.0)
Security groups act as virtual firewalls for your EC2 instances to control inbound and outbound traffic. Monitoring changes to security groups is crucial for maintaining the security of an AWS environment.
Rule Description
This rule ensures that your AWS environment has the necessary log metric filters and alarms to detect changes to EC2 security groups. The logging should capture events like
AuthorizeSecurityGroupIngressRevokeSecurityGroupIngressAuthorizeSecurityGroupEgressRevokeSecurityGroupEgressPrerequisites
Before setting up the necessary metric filter and alarm, ensure that:
- 1.AWS CloudTrail is enabled in your AWS account.
- 2.Amazon CloudWatch Logs is set up to receive CloudTrail logs.
Step by Step Guide for Remediation
Step 1: Create the Metric Filter
- 1.
Navigate to CloudWatch in the AWS Management Console.
- 2.
Go to Logs and choose the log group that receives CloudTrail events.
- 3.
Select
.Create Metric Filter - 4.
In the
box, enter the following pattern:Filter Pattern{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupEgress) } - 5.
Click
.Assign Metric - 6.
Define the filter name and metric details:
- Filter Name:
SecurityGroupChanges - Metric Namespace:
CISBenchmark - Metric Name:
SecurityGroupEventCount
- 7.
Click
.Create Filter
Step 2: Create the Alarm
- 1.After creating the metric filter, click
.Create Alarm - 2.Configure the alarm with the following criteria:
- Whenever this metric is greater than 0 for a period of 5 minutes.
- The statistic should be
.Sum - Set the period to
.5 minutes
- 3.Specify the alarm name as
.SecurityGroupChangeAlarm - 4.Configure Actions:
- In Alarm state trigger a notification to your SNS topic.
- 5.Define the alarm description and click
.Create Alarm
Necessary AWS CLI Commands
To create a metric filter and alarm through AWS CLI, use the following commands:
Create Metric Filter
aws logs put-metric-filter \ --log-group-name <cloudtrail-log-group-name> \ --filter-name SecurityGroupChanges \ --filter-pattern '{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupEgress) }' \ --metric-transformations metricName=SecurityGroupEventCount,metricNamespace=CISBenchmark,metricValue=1
Create Alarm
aws cloudwatch put-metric-alarm \ --alarm-name SecurityGroupChangeAlarm \ --metric-name SecurityGroupEventCount \ --namespace CISBenchmark \ --statistic Sum \ --period 300 \ --evaluation-periods 1 \ --threshold 0 \ --comparison-operator GreaterThanThreshold \ --alarm-actions <sns-topic-arn> \ --insufficient-data-actions <sns-topic-arn>
Replace
<cloudtrail-log-group-name><sns-topic-arn>Troubleshooting Steps
If you encounter issues:
- Verify that CloudTrail is properly configured and logging to CloudWatch Logs.
- Check the metric filter syntax and ensure it matches with AWS CloudTrail event patterns.
- Ensure the SNS topic is correctly configured to send notifications.
- Inspect the IAM permissions to make sure proper permissions are granted for creating metrics and alarms.
- Check the CloudWatch Alarms dashboard to investigate any operational issues.
This detailed guide for creating metric filters and alarms for monitoring security group changes should help maintain the security and integrity of your AWS environment, in accordance with CIS v1.4.0 benchmarks.