Ensure a Log Metric Filter and Alarm Exist for Changes to Network Access Control Lists (NACL) Rule
This rule ensures a log metric filter and alarm exist for changes to NACLs.
| Rule | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) in the cis_v140 AWS Config ruleset. This helps to monitor and alert any modifications made to NACL configurations, which can help in identifying potential security risks or unauthorized changes.
Troubleshooting Steps:
If there are any issues with the log metric filter and alarm for NACL changes, follow these troubleshooting steps:
- 1.Verify the AWS Config ruleset: Ensure that the cis_v140 AWS Config ruleset is enabled and active. If it is not active, enable it.
- 2.Check the CloudWatch Logs: Navigate to the CloudWatch Logs console and search for the log group associated with NACL changes. Ensure that the logs are being generated correctly.
- 3.Review IAM permissions: Validate that the IAM role associated with AWS Config and CloudWatch Logs has the necessary permissions to create log metric filters and alarms.
- 4.Verify alarm settings: Double-check the alarm configuration, such as notification actions, alarm thresholds, and period settings, to make sure they are correct.
- 5.Test the ruleset: Make a deliberate change to a NACL configuration and check if the log metric filter triggers the alarm as expected.
Necessary Code:
There is no specific code required for this rule as it primarily relies on the configuration of AWS Config, CloudWatch Logs, and CloudWatch Alarms through the AWS Management Console or AWS CLI.
Remediation Steps:
If the log metric filter and alarm for NACL changes do not exist or need to be set up, follow these steps:
- 1.Sign in to the AWS Management Console.
- 2.Open the AWS Config console.
- 3.Navigate to the "Rules" section.
- 4.Ensure that the cis_v140 AWS Config ruleset is enabled.
- 5.Click on "Add Rule" if the rule does not already exist.
- 6.Select the appropriate resource type filter for the NACL (e.g., "AWS::EC2::NetworkAcl").
- 7.Configure the rule parameters to specify the desired behavior for detecting changes to NACL configurations.
- 8.Save the rule configuration.
- 9.Open the CloudWatch Logs console.
- 10.Locate or create a log group specifically for NACL changes.
- 11.Use a log filter pattern to capture NACL-related events (e.g., "{ $.eventName = CreateNetworkAclEntry || $.eventName = DeleteNetworkAclEntry }").
- 12.Save the log metric filter configuration.
- 13.Open the CloudWatch Alarms console.
- 14.Create a new alarm and select the log metric filter created in the previous step.
- 15.Configure the alarm threshold, actions to be taken when triggered, and any additional settings specific to your monitoring requirements.
- 16.Save the alarm configuration.
Once these steps have been completed, any changes made to NACL configurations will be monitored, and the configured alarm will be triggered based on the defined conditions.