Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure a Log Metric Filter and Alarm Exist for S3 Bucket Policy Changes Rule

This rule ensures the presence of a log metric filter and alarm for monitoring S3 bucket policy changes.

RuleEnsure a log metric filter and alarm exist for S3 bucket policy changes
Frameworkcis_v140
Severity
Low

Rule Description:

This rule ensures that a log metric filter and alarm exist for S3 bucket policy changes for CIS_V140 compliance. The goal is to monitor and detect any changes made to S3 bucket policies for compliance and security purposes.

Troubleshooting Steps:

  1. 1.
    Verify if an S3 bucket policy is in place for the targeted S3 buckets.
  2. 2.
    Check if CloudTrail is enabled and configured to capture S3 bucket events.
  3. 3.
    Ensure that a CloudWatch log group is created for storing the S3 bucket events.
  4. 4.
    Confirm if a log metric filter is set up to extract the relevant information from the CloudWatch logs.
  5. 5.
    Check if an alarm is configured based on the log metric filter to trigger notifications upon policy changes.
  6. 6.
    Verify if the alarm actions are set to notify the appropriate stakeholders or teams.

Necessary Code:

To create a log metric filter and alarm for S3 bucket policy changes, you can use the following AWS CLI commands:

  1. 1.
    Create a log metric filter:
aws logs put-metric-filter \
    --log-group-name <log-group-name> \
    --filter-name "S3-Policy-Change" \
    --filter-pattern "{($.eventName = PutBucketPolicy || $.eventName = DeleteBucketPolicy) && ($.eventSource = s3.amazonaws.com) && ($.awsRegion = <region>) && ($.userIdentity.sessionContext.sessionIssuer.userName != 'AWSServiceRoleForCloudTrail')}"`

Replace

<log-group-name>
with the name of the CloudWatch log group where S3 bucket events are stored and
<region>
with the AWS region being used.

  1. 1.
    Create an alarm for the log metric filter:
aws cloudwatch put-metric-alarm \
    --alarm-name "S3-Policy-Change-Alarm" \
    --alarm-description "Triggered when S3 bucket policy changes occur." \
    --namespace "AWS/Logs" \
    --metric-name "S3-Policy-Change" \
    --statistic "SampleCount" \
    --period 300 \
    --threshold 1 \
    --comparison-operator "GreaterThanOrEqualToThreshold" \
    --evaluation-periods 1 \
    --alarm-actions <ARN-of-notification-action> \
    --treat-missing-data "notBreaching"`

Replace

<ARN-of-notification-action>
with the ARN (Amazon Resource Name) of the action to be taken when the alarm is triggered. This could be an SNS topic or an email address.

Step-by-Step Guide for Remediation:

  1. 1.
    Login to the AWS Management Console.
  2. 2.
    Navigate to the CloudWatch service.
  3. 3.
    Verify the existence of the appropriate log group for S3 bucket events. Create a new log group if needed.
  4. 4.
    Create a log metric filter with the given filter pattern. Replace
    <log-group-name>
    and
    <region>
    with the appropriate values.
  5. 5.
    Validate that the log metric filter has been created successfully.
  6. 6.
    Configure an alarm to trigger when the log metric filter reaches the specified threshold.
  7. 7.
    Specify the necessary details for the alarm, such as the name, description, metric namespace, metric name, statistic, period, and evaluation periods.
  8. 8.
    Set the threshold value to 1 to trigger the alarm when at least one policy change occurs.
  9. 9.
    Define the appropriate actions during an alarm trigger. Enter the ARN of the SNS topic or the email address where notifications should be sent.
  10. 10.
    Review and confirm the alarm settings.
  11. 11.
    Monitor the alarm regularly to ensure timely detection and response to S3 bucket policy changes.
  12. 12.
    Investigate any policy changes detected by the alarm to determine if they are authorized and compliant with the desired security policies.
  13. 13.
    Take appropriate actions based on the investigation results, such as reverting unauthorized changes, updating policies, or escalating to the relevant teams or stakeholders for further action.

Remember to regularly review and update the log metric filter and alarm configurations as needed, especially if changes are made to the S3 bucket structure or policy management.

Is your System Free of Underlying Vulnerabilities?
Find Out Now