Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Ensure a log metric filter and alarm for CMKs

This rule ensures the presence of filters and alarms for managing CMKs.

RuleEnsure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs
Frameworkcis_v140
Severity
Low

Rule Description:

This rule ensures that a log metric filter and alarm are in place to detect any disabling or scheduled deletion of customer-created Customer Master Keys (CMKs) within the CIS_V140 environment.

Troubleshooting Steps:

If the log metric filter and alarm are not working as expected, please follow these troubleshooting steps:

  1. 1.
    Verify the log metric filter configuration.
  2. 2.
    Check the filter pattern to ensure it correctly captures disabling or scheduled deletion activities related to CMKs.
  3. 3.
    Ensure the log metric filter is correctly associated with the appropriate log group(s) within the CIS_V140 environment.
  4. 4.
    Review the alarm configuration and make sure the threshold settings are appropriate.
  5. 5.
    Verify that the IAM role associated with the alarm has sufficient permissions to trigger actions in response to the alarm.
  6. 6.
    Check the actions triggered by the alarm to ensure they are defined correctly.
  7. 7.
    Verify that the SNS topic subscription, if used, is correctly set up and active.

Necessary Codes:

No specific code is required for this rule.

Step-by-Step Guide for Remediation:

  1. 1.
    Login to the AWS Management Console.
  2. 2.
    Navigate to the CloudWatch service.
  3. 3.
    Select the desired region where the CIS_V140 environment is located.
  4. 4.
    Go to the Logs section and find the log group(s) relevant to CMKs.
  5. 5.
    Click on the log group to open the log streams.
  6. 6.
    Create a new log metric filter by clicking on "Create metric filter".
  7. 7.
    Define a filter pattern that captures disabling or scheduled deletion activities related to CMKs.
  8. 8.
    Configure the filter to match the log group(s) associated with CMK actions in the CIS_V140 environment.
  9. 9.
    Choose the appropriate metric namespace and name for the filter.
  10. 10.
    Save the log metric filter.
  11. 11.
    Go to the Alarms section in CloudWatch.
  12. 12.
    Click on "Create alarm" to define a new alarm.
  13. 13.
    In the "Create Alarm" wizard, select the metric filter created in step 10.
  14. 14.
    Specify the threshold settings for the alarm, such as the number of occurrences or the period of time.
  15. 15.
    Configure the actions to be triggered when the alarm threshold is breached. This can include sending notifications via SNS or triggering AWS Lambda functions.
  16. 16.
    Save the alarm configuration.
  17. 17.
    Test the setup by simulating a disabling or scheduled deletion of a customer-created CMK within the CIS_V140 environment.
  18. 18.
    Monitor the CloudWatch metrics and verify that the log metric filter triggers the alarm as expected.
  19. 19.
    Verify that the appropriate actions are triggered by the alarm, such as sending notifications or executing Lambda functions.
  20. 20.
    Make any necessary adjustments to the log metric filter, alarm threshold, or actions based on testing and monitoring results.

Note: It is recommended to regularly review the log metric filter, alarm configuration, and associated actions to ensure they remain effective and aligned with any changes in the CIS_V140 environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now