Ensure a Log Metric Filter and Alarm Exist for Route Table Changes Rule
This rule ensures the presence of a log metric filter and alarm for monitoring route table changes.
| Rule | Ensure a log metric filter and alarm exist for route table changes |
| Framework | cis_v140 |
| Severity | ✔ Low |
Ensuring a Log Metric Filter and Alarm for Route Table Changes (CIS_V1.4.0)
CIS (Center for Internet Security) benchmarks recommend that changes to route tables in cloud environments should be monitored to enable the detection of potentially unauthorized traffic routing. Setting up a log metric filter and alarm for route table changes is essential for maintaining the security and integrity of your VPC (Virtual Private Cloud). Here's a detailed guide on how to ensure that you have proper log monitoring and alerting for route table changes in AWS environments, which is aligned with the CIS AWS Foundations Benchmark v1.4.0 guideline 4.3.
Prerequisites
- You should have AWS CloudTrail enabled in your AWS environment.
- Amazon CloudWatch Logs should be set up to receive CloudTrail logs.
- You should have the necessary permissions to create metric filters and alarms in Amazon CloudWatch.
Step 1: Creating the Log Metric Filter
Create Metric Filter in CloudWatch Logs
- 1.
Go to the CloudWatch service in the AWS Management Console.
- 2.
Under Logs, select Log groups and choose the log group that receives CloudTrail logs.
- 3.
Click on Create metric filter.
- 4.
In the filter pattern box, enter the following pattern:
{ ($.eventName = CreateRouteTable) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = AssociateRouteTable) || ($.eventName = DisassociateRouteTable) }This pattern captures the relevant API calls that could indicate route table changes.
- 5.
Choose Assign a metric and define the filter name and metric details:
- Filter Name:
RouteTableChange - Metric Namespace:
CISBenchmark - Metric Name:
RouteTableChangeCount
- 6.
Set the metric value to
(which increments the count each time the pattern is matched).1 - 7.
Click on Create Filter.
Step 2: Setting Up the Alarm
Create an Alarm for the Metric Filter
- 1.
In CloudWatch, navigate to Alarms and then click Create alarm.
- 2.
Click on Select metric, go to the CISBenchmark namespace, and choose the metric
.RouteTableChangeCount - 3.
Click on the metric name and then Select metric.
- 4.
Set the condition to trigger the alarm. For instance, choose
as Sum, set theStatistic
to sayPeriod
, and5 minutes
toThreshold type
.Static - 5.
Define the threshold value according to your security policy, for example, to trigger the alarm when the route table change is recorded once (
).>= 1 - 6.
Click on Next and configure actions. Set up a notification to an SNS topic that sends alerts when the alarm state is triggered.
- 7.
Name the alarm (e.g.,
) and add an optional description.Alarm_RouteTableChanges - 8.
Click on Create alarm.
Remediation for Route Table Changes
If you receive an alarm about route table changes, you should validate whether the change was expected, authorized, and compliant with your governance policies. Investigate the CloudTrail logs and identity who made the change, from where, and what change was made. If the change was unauthorized, proceed to revert the changes and analyze the root cause to prevent future occurrences.
AWS CLI Commands
Create Metric Filter
aws logs put-metric-filter \
--log-group-name "<cloudtrail_log_group_name>" \
--filter-name "RouteTableChange" \
--filter-pattern '{ ($.eventName = CreateRouteTable) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = AssociateRouteTable) || ($.eventName = DisassociateRouteTable) }' \
--metric-transformations metricName="RouteTableChangeCount",metricNamespace="CISBenchmark",metricValue="1"
Create Alarm
aws cloudwatch put-metric-alarm \ --alarm-name "Alarm_RouteTableChanges" \ --metric-name "RouteTableChangeCount" \ --namespace "CISBenchmark" \ --statistic "Sum" \ --period 300 \ --threshold 1 \ --comparison-operator "GreaterThanOrEqualToThreshold" \ --evaluation-periods 1 \ --alarm-actions "arn:aws:sns:<region>:<account-id>:<sns_topic_name>" \ --unit "Count"
This comprehensive guide ensures a reliable way of setting up alarms to monitor route table changes, which not only satisfies CIS benchmark standards but also optimizes your environment for better security oversight.