Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for CloudTrail Configuration Changes Rule

This rule ensures the presence of a log metric filter and alarm for CloudTrail configuration changes.

RuleEnsure a log metric filter and alarm exist for CloudTrail configuration changes
Frameworkcis_v140
Severity
Low

Rule Description:

This rule requires the presence of a log metric filter and alarm for CloudTrail configuration changes, specifically for CIS benchmark version 1.4.0 (cis_v140). The purpose of this rule is to detect any modifications made to the CloudTrail configuration, ensuring that any unauthorized or inadvertent changes are promptly identified and investigated.

Troubleshooting Steps:

If the log metric filter and alarm for CloudTrail configuration changes are not in place, follow these troubleshooting steps to implement the required measures:

  1. 1.

    Ensure that the AWS CloudTrail service is enabled in your account and properly configured. You can verify this by accessing the AWS CloudTrail console and confirming that the necessary trails are set up and collecting logs. If not, create or update a trail to enable logging.

  2. 2.

    Check if you have a log metric filter specifically for CloudTrail configuration changes. To do this:

    • Open the AWS CloudWatch console
    • Navigate to the "Log groups" section
    • Search for the log group associated with your CloudTrail trail
    • Click on the log group to view the log streams
    • Verify if there is a filter that captures configuration changes, such as "CreateTrail", "UpdateTrail", or "DeleteTrail" events.
  3. 3.

    If no log metric filter exists, you'll need to create one. Follow these steps to create a log metric filter for CloudTrail configuration changes:

    • From the log streams view, click on "Create Metric Filter" towards the top of the page.
    • Specify a filter pattern that captures the relevant CloudTrail events. For example, you may use a pattern like
      {($.eventName = UpdateTrail) || ($.eventName = CreateTrail) || ($.eventName = DeleteTrail)}
      to capture the required events.
    • Configure the "Filter name" according to your preference.
    • In the "Metric details" section, click on "Create new metric".
    • Define a namespace and a metric name for the metric filter.
    • Specify any additional details required, such as a default value for metric values.
    • Click on "Create Filter" to save the log metric filter.
  4. 4.

    Once the log metric filter is in place, you need to set up an alarm to trigger notifications when the filter condition is met. Follow these steps to create an alarm for CloudTrail configuration changes:

    • From the log metric filter page, click on "Create Alarm" next to the created filter.
    • Set a threshold for the alarm based on your requirements. For example, you may set the threshold to an "Evaluation periods" value of 1 and "Threshold type" as static.
    • Configure the actions to be taken when the alarm state is triggered (e.g., sending a notification via Amazon SNS).
    • Specify a name and description for the alarm. This should clearly indicate that it's related to CloudTrail configuration changes.
    • Click on "Create Alarm" to save the alarm configuration.

Code Snippet:

There is no specific code snippet for this rule, as it involves setting up configurations within the AWS Management Console. However, the Amazon CloudWatch documentation provides examples and detailed instructions for creating log metric filters and alarms programmatically using the AWS CLI or SDKs if automated provisioning is required.

Remediation Steps:

To remediate any non-compliance with this rule, follow these step-by-step instructions:

  1. 1.

    Ensure that the AWS CloudTrail service is enabled and configured properly:

    • Access the AWS Management Console.
    • Navigate to the AWS CloudTrail service.
    • Follow the AWS CloudTrail documentation to enable and configure the service if necessary.
  2. 2.

    Create a log metric filter for CloudTrail configuration changes:

    • Open the AWS CloudWatch console.
    • Navigate to the "Log groups" section.
    • Search for the log group associated with your CloudTrail trail.
    • Click on "Create Metric Filter".
    • Specify a filter pattern that captures CloudTrail configuration change events.
    • Assign a filter name.
    • Configure the log metric filter to create a new metric with a suitable namespace and name.
    • Save the log metric filter.
  3. 3.

    Set up an alarm for CloudTrail configuration changes:

    • From the log metric filter page in AWS CloudWatch, click on "Create Alarm" next to the created filter.
    • Define a threshold for triggering the alarm based on your requirements.
    • Configure the actions to be performed when the alarm state is triggered (e.g., sending a notification via Amazon SNS).
    • Assign a name and description for the alarm.
    • Save the alarm configuration.

By following these steps, you can ensure compliance with the rule and establish a monitoring system to detect any unauthorized or inadvertent changes to your CloudTrail configuration.

Is your System Free of Underlying Vulnerabilities?
Find Out Now