Ensure a Log Metric Filter and Alarm Exist for Security Group Changes Rule
This rule ensures the presence of a log metric filter and alarm for security group changes.
| Rule | Ensure a log metric filter and alarm exist for security group changes |
| Framework | cis_v150 |
| Severity | ✔ High |
Rule Description:
This rule ensures that a log metric filter and alarm are set up to monitor any changes made to security groups in an environment that complies with the CIS AWS Foundations benchmark version 1.5.0 (cis_v150).
Troubleshooting Steps:
If the log metric filter and alarm for security group changes are not properly set up, you might encounter the following issues:
- 1.Inability to detect and respond to unauthorized changes made to security groups.
- 2.Failure to comply with the CIS AWS Foundations benchmark version 1.5.0.
- 3.Increased risk of unauthorized access or network vulnerabilities.
Necessary Codes (CloudFormation):
To implement this rule and set up the log metric filter and alarm, you can use the following AWS CloudFormation code:
Resources:
SecurityGroupChangeLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/lambda/security-group-change-log-group
RetentionInDays: 30
SecurityGroupChangeFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: security-group-change-function
Handler: index.lambda_handler
Runtime: python3.7
Code:
S3Bucket: your-s3-bucket
S3Key: your-lambda-code.zip
Timeout: 60
Environment:
Variables:
LOG_GROUP_NAME: /aws/lambda/security-group-change-log-group
SecurityGroupChangePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt SecurityGroupChangeFunction.Arn
Action: lambda:InvokeFunction
Principal: logs.amazonaws.com
SourceArn: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/security-group-change-log-group:*
SecurityGroupChangeMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref SecurityGroupChangeLogGroup
FilterPattern: "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
MetricTransformations:
- MetricName: SecurityGroupChanges
MetricNamespace: SecurityGroup
MetricValue: 1
SecurityGroupChangeAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: security-group-change-alarm
AlarmDescription: Alarm triggered when security group changes are detected
AlarmActions:
- <your-action>
MetricName: SecurityGroupChanges
Namespace: SecurityGroup
Dimensions:
- Name: LogGroupName
Value: !Ref SecurityGroupChangeLogGroup
ComparisonOperator: GreaterThanThreshold
EvaluationPeriods: 1
Statistic: SampleCount
Threshold: 0
Step-by-Step Guide for Remediation:
To remediate this issue and set up the log metric filter and alarm for security group changes, follow these steps:
- 1.Open your AWS Management Console and go to the CloudFormation service.
- 2.Create a new CloudFormation stack.
- 3.Paste the above code into the template section.
- 4.Modify the necessary values, such as the S3Bucket and S3Key for the Lambda function code.
- 5.Click on "Next" and provide a stack name.
- 6.Review the stack details and click on "Create" to create the CloudFormation stack.
- 7.Wait for the stack creation process to complete.
- 8.Once the stack is created, the log metric filter and alarm will be set up, and you will start receiving alerts for any security group changes.
Ensure that the appropriate alarm action is configured in the CloudWatch alarm settings to notify relevant personnel or take automated actions when security group changes are detected.
Note: It is essential to monitor the logs and alarms regularly to ensure they are functioning correctly and responding to security group changes effectively.