Ensure a Log Metric Filter and Alarm Exist for VPC Changes Rule
This rule ensures the presence of a log metric filter and alarm for VPC changes.
| Rule | Ensure a log metric filter and alarm exist for VPC changes |
| Framework | cis_v140 |
| Severity | ✔ Low |
Rule Description:
This rule is implemented to ensure that a log metric filter and alarm exist for any changes made to Virtual Private Cloud (VPC) configurations in accordance with the CIS AWS Foundations Benchmark (Version 1.4.0).
Troubleshooting Steps:
If there are any issues with the log metric filter or alarm, follow these troubleshooting steps:
- 1.
Verify IAM Permissions: Ensure that the IAM user or role used to create the log metric filter and alarm has the necessary permissions. The user or role should have
andcloudwatch:PutMetricFilter
permissions.cloudwatch:PutMetricAlarm - 2.
Check Log Group Configuration: Confirm that the log group associated with the VPC changes is correctly configured. Ensure that the log group has a proper retention policy and is receiving logs from relevant AWS services.
- 3.
Review Filter Pattern: Examine the log metric filter's filter pattern to ensure it matches the expected pattern for VPC changes. If the pattern is incorrect or missing, modify it to match the appropriate log events.
- 4.
Validate Alarm Configuration: Double-check the alarm configuration, including threshold values, actions, and notifications. Ensure that the alarm is configured to trigger when VPC changes occur.
- 5.
Verify Alarm Actions: Check the actions associated with the alarm, such as sending notifications or triggering automated responses. Ensure that the appropriate actions are defined and functioning correctly.
- 6.
Test the Alarm: Create a test VPC change or intentionally modify an existing VPC configuration to trigger the alarm. Verify that the alarm is triggered and notifications are sent as expected.
Necessary Codes:
There are no specific codes required for this rule. However, you may need to use AWS CloudFormation, AWS CLI, or AWS SDKs to create the log metric filter and alarm if they are not already configured.
Step-by-Step Guide for Remediation:
Follow these steps to ensure that the log metric filter and alarm for VPC changes are properly configured:
- 1.
Identify the Log Group: Determine the log group where VPC changes are logged. This log group should contain the relevant VPC configuration change logs.
- 2.
Create a Log Metric Filter: Create a log metric filter for the identified log group using the AWS CloudWatch Console, AWS CLI, or CloudFormation. Configure the filter to match the log events related to VPC changes. The filter pattern may include keywords like "CreateVpc", "DeleteVpc", "ModifyVpcAttribute", or any other relevant patterns.
- 3.
Configure Metric and Namespace: While creating the log metric filter, define a metric name and namespace for the filter. This metric will be used to trigger the alarm when VPC changes occur.
- 4.
Set Alarm Thresholds: Create an alarm based on the metric generated by the log metric filter. Specify the thresholds for triggering the alarm, such as the number of VPC changes within a specific time period.
- 5.
Configure Alarm Actions: Define alarm actions for the triggered alarm, such as sending notifications or invoking automated responses. Specify the appropriate actions based on your requirements.
- 6.
Test the Configuration: Validate the log metric filter and alarm by making intentional VPC changes or creating test VPCs. Ensure that the alarm is triggered and the desired actions are executed.
- 7.
Monitor and Maintain: Regularly review the metric filter and alarm configuration to ensure they remain up to date with any changes in VPC-related logs. Make updates as necessary to adapt to new log formats or patterns.
By following these steps, you can ensure that a log metric filter and alarm exist for VPC changes, as required by the CIS AWS Foundations Benchmark (Version 1.4.0).