This rule ensures the presence of a log metric filter and alarm for CloudTrail configuration changes.
Rule | Ensure a log metric filter and alarm exist for CloudTrail configuration changes |
Framework | cis_v140 |
Severity | ✔ Low |
Rule Description:
This rule requires the presence of a log metric filter and alarm for CloudTrail configuration changes, specifically for CIS benchmark version 1.4.0 (cis_v140). The purpose of this rule is to detect any modifications made to the CloudTrail configuration, ensuring that any unauthorized or inadvertent changes are promptly identified and investigated.
Troubleshooting Steps:
If the log metric filter and alarm for CloudTrail configuration changes are not in place, follow these troubleshooting steps to implement the required measures:
Ensure that the AWS CloudTrail service is enabled in your account and properly configured. You can verify this by accessing the AWS CloudTrail console and confirming that the necessary trails are set up and collecting logs. If not, create or update a trail to enable logging.
Check if you have a log metric filter specifically for CloudTrail configuration changes. To do this:
If no log metric filter exists, you'll need to create one. Follow these steps to create a log metric filter for CloudTrail configuration changes:
{($.eventName = UpdateTrail) || ($.eventName = CreateTrail) || ($.eventName = DeleteTrail)}
to capture the required events.Once the log metric filter is in place, you need to set up an alarm to trigger notifications when the filter condition is met. Follow these steps to create an alarm for CloudTrail configuration changes:
Code Snippet:
There is no specific code snippet for this rule, as it involves setting up configurations within the AWS Management Console. However, the Amazon CloudWatch documentation provides examples and detailed instructions for creating log metric filters and alarms programmatically using the AWS CLI or SDKs if automated provisioning is required.
Remediation Steps:
To remediate any non-compliance with this rule, follow these step-by-step instructions:
Ensure that the AWS CloudTrail service is enabled and configured properly:
Create a log metric filter for CloudTrail configuration changes:
Set up an alarm for CloudTrail configuration changes:
By following these steps, you can ensure compliance with the rule and establish a monitoring system to detect any unauthorized or inadvertent changes to your CloudTrail configuration.