This rule ensures the presence of a log metric filter and alarm for changes in IAM policies.
Rule | Ensure a log metric filter and alarm exist for IAM policy changes |
Framework | cis_v140 |
Severity | ✔ Low |
Rule: IAM Policy Change Log Metric and Alarm (cis_v140)
This rule ensures that a log metric filter and alarm are in place to monitor and alert on any changes made to IAM policies. This helps in tracking any unauthorized modifications to IAM policies, which could potentially lead to security breaches and unauthorized access to resources.
Description
IAM policies control access to AWS resources and define what actions can be performed on these resources. Monitoring and tracking changes to IAM policies is crucial for maintaining a secure environment. By implementing this rule, a log metric filter and alarm will be configured to detect any changes made to IAM policies.
Troubleshooting Steps
1. Verify IAM policy change log metric filter
To troubleshoot, follow these steps to verify the existence and configuration of the IAM policy change log metric filter:
/aws/iam/
.2. Check IAM policy change alarm
If the IAM policy change log metric filter exists, follow these steps to verify the associated alarm:
Necessary Codes
There are no specific codes required for this rule.
Remediation Steps
To implement this rule and ensure the existence of a log metric filter and alarm for IAM policy changes, follow these steps:
/aws/iam/
.{ ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = AttachGroupPolicy) || ($.eventName = DetachGroupPolicy) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) }
. This pattern captures the API actions associated with modifying IAM policies.Once the above steps are completed, the log metric filter and alarm for IAM policy changes will be in place and actively monitoring the specified log group. Any changes made to IAM policies will trigger the alarm and alert the relevant personnel for appropriate action.
Note: It is recommended to assign appropriate permissions for creating and managing the log metric filters and alarms.