This rule ensures the presence of a log metric filter and alarm for monitoring S3 bucket policy changes.
Rule | Ensure a log metric filter and alarm exist for S3 bucket policy changes |
Framework | cis_v140 |
Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm exist for S3 bucket policy changes for CIS_V140 compliance. The goal is to monitor and detect any changes made to S3 bucket policies for compliance and security purposes.
Troubleshooting Steps:
Necessary Code:
To create a log metric filter and alarm for S3 bucket policy changes, you can use the following AWS CLI commands:
aws logs put-metric-filter \ --log-group-name <log-group-name> \ --filter-name "S3-Policy-Change" \ --filter-pattern "{($.eventName = PutBucketPolicy || $.eventName = DeleteBucketPolicy) && ($.eventSource = s3.amazonaws.com) && ($.awsRegion = <region>) && ($.userIdentity.sessionContext.sessionIssuer.userName != 'AWSServiceRoleForCloudTrail')}"`
Replace
<log-group-name>
with the name of the CloudWatch log group where S3 bucket events are stored and <region>
with the AWS region being used.aws cloudwatch put-metric-alarm \ --alarm-name "S3-Policy-Change-Alarm" \ --alarm-description "Triggered when S3 bucket policy changes occur." \ --namespace "AWS/Logs" \ --metric-name "S3-Policy-Change" \ --statistic "SampleCount" \ --period 300 \ --threshold 1 \ --comparison-operator "GreaterThanOrEqualToThreshold" \ --evaluation-periods 1 \ --alarm-actions <ARN-of-notification-action> \ --treat-missing-data "notBreaching"`
Replace
<ARN-of-notification-action>
with the ARN (Amazon Resource Name) of the action to be taken when the alarm is triggered. This could be an SNS topic or an email address.Step-by-Step Guide for Remediation:
<log-group-name>
and <region>
with the appropriate values.Remember to regularly review and update the log metric filter and alarm configurations as needed, especially if changes are made to the S3 bucket structure or policy management.