Ensure a Log Metric Filter and Alarm Exist for Changes to Network Gateways Rule
This rule ensures the presence of a log metric filter and alarm for any changes made to network gateways.
| Rule | Ensure a log metric filter and alarm exist for changes to network gateways |
| Framework | cis_v140 |
| Severity | ✔ Low |
Ensure Log Metric Filter and Alarm Exist for Changes to Network Gateways for CIS v1.4.0
Creating a log metric filter and an alarm for changes to network gateways is crucial for AWS account security. The aim of this rule is to detect and react to unauthorized alterations, which could potentially lead to a security breach. Follow the steps below to implement this CIS (Center for Internet Security) benchmark:
Overview of the Rule
This rule involves creating:
- 1.A metric filter that captures changes to network gateways.
- 2.An alarm that triggers whenever this metric indicates unauthorized changes.
Troubleshooting Steps
1. Verify Log Group Configuration
Ensure CloudTrail logging is enabled and the log group is correctly receiving logs.
2. Check Existing Metric Filters
Confirm if a metric filter for network gateway changes already exists.
3. Alarm Status
Review if an alarm exists and is properly configured to notify when suspicious activity is detected.
Necessary Codes
Metric Filter Creation
To create a metric filter that matches network gateway changes, you'll use the following AWS CLI command:
aws logs put-metric-filter \ --log-group-name YOUR_LOG_GROUP_NAME \ --filter-name "NetworkGatewayChanges" \ --filter-pattern '{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }' \ --metric-transformations metricName="NetworkGatewayChangesMetric",metricNamespace="CISBenchmark",metricValue="1"
Alarm Creation
To create an alarm for this metric, you'll use the AWS CLI command below:
aws cloudwatch put-metric-alarm \ --alarm-name "NetworkGatewayChangesAlarm" \ --metric-name "NetworkGatewayChangesMetric" \ --namespace "CISBenchmark" \ --statistic "Sum" \ --period 300 \ --evaluation-periods 1 \ --threshold 1 \ --comparison-operator "GreaterThanOrEqualToThreshold" \ --alarm-actions YOUR_ALARM_ACTION_ARN \ --insufficient-data-actions YOUR_INSUFFICIENT_DATA_ACTION_ARN
Replace
YOUR_LOG_GROUP_NAMEYOUR_ALARM_ACTION_ARNYOUR_INSUFFICIENT_DATA_ACTION_ARNStep-by-Step Guide for Remediation
Step 1: Enable CloudTrail Logging
Before setting up metric filters and alarms, ensure that AWS CloudTrail is enabled and properly configured to log API activity.
Step 2: Create the Log Metric Filter
Using the provided AWS CLI command, create a metric filter to sift through CloudTrail logs for events indicating changes to network gateways.
Step 3: Create the Alarm
After creating the metric filter, establish a CloudWatch alarm to alert you when the metric filter finds that a change to network gateways has occurred.
Step 4: Verify and Test
Verify that your new metric filter and alarm are operational by simulating a change to the network gateway and checking for an alert.
Step 5: Monitor and Adjust
Maintain regular monitoring to fine-tune the threshold and alarm settings as needed to avoid false positives and ensure timely detection of unauthorized changes.
By following these guidelines precisely, you will reinforce the security of your AWS environment, which should, in turn, contribute positively to your organization's SEO endeavors by protecting your online infrastructure against potential threats that can compromise website integrity and user trust. This rule implementation will directly address the security of your network infrastructure, a vital part of an SEO strategy that prioritizes website availability and reliability.