Ensure Log Metric Filter and Alarm for NACL Changes Rule

This rule ensures the presence of a log metric filter and alarm for any changes to Network Access Control Lists (NACL).

Rule	Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
Framework	cis_v150
Severity	✔ Low

Rule Description:

This rule ensures the existence of a log metric filter and alarm for changes to Network Access Control Lists (NACL) for cis_v150. By setting up a log metric filter and alarm, you can monitor any modifications made to NACLs and receive notifications when these changes occur.

Troubleshooting Steps:

If the log metric filter or alarm does not exist or is not functioning as expected, follow these troubleshooting steps:

1.

Verify AWS CLI Configuration: Ensure that you have configured the AWS CLI with valid credentials and the appropriate permissions to create and manage CloudWatch logs, metric filters, and alarms.

2.

Check Log Metric Filter: Go to the CloudWatch Logs console and search for the log metric filter associated with NACL changes. Ensure that the filter pattern is correctly configured to capture the desired events. The filter pattern should include specific keywords or patterns related to NACL modifications.

3.

Confirm Log Group: Verify that the log metric filter is associated with the correct log group. The log group should contain the relevant log streams where NACL change events are logged.

4.

Test Log Metric Filter: Manually trigger a NACL change event to check if the log metric filter captures the event. Verify that the filter extracts the necessary information from the event for further processing.

5.

Review Alarm Threshold: Examine the alarm configuration to ensure that the threshold for triggering the alarm is appropriately set. Adjust the threshold if necessary to align with the desired monitoring requirements.

6.

Validate Alarm Actions: Confirm that the alarm is correctly configured to trigger the desired actions when a NACL change occurs. For example, check if it sends notifications through Amazon SNS or triggers an AWS Lambda function for automated remediation.

Necessary Codes:

There are no specific codes required for this rule as it primarily involves configuration through the AWS Management Console or CLI commands.

Step-by-Step Guide for Remediation:

Follow these steps to remediate the absence of a log metric filter and alarm for changes to NACLs:

Step 1: Access the AWS Management Console

1.
Open the AWS Management Console in your web browser.

Step 2: Navigate to CloudWatch Logs

1.
Go to the CloudWatch service by selecting it from the list of available services.

Step 3: Create a Log Metric Filter

1.

In the CloudWatch Logs console, select the appropriate log group containing NACL-related logs.

2.

Click on the "Create Metric Filter" button.

3.

In the "Filter Pattern" section, define a filter pattern that captures NACL change events. Ensure it accurately matches the log messages generated for these events.

4.

Choose a log stream and preview the sample log events to confirm the filter pattern's accuracy.

5.

Select "Assign Metric" and provide a name for the metric.

6.

Configure any additional settings necessary and click "Create Filter."

Step 4: Create an Alarm

1.

After creating the log metric filter, click on the "Create Alarm" button for the associated metric.

2.

Specify the conditions for triggering the alarm based on the metrics. Set thresholds, such as the number of NACL change events, within a specific timeframe.

3.

Configure the actions to be taken when the alarm is triggered. This can include sending notifications through SNS or invoking an AWS Lambda function.

4.

Provide a name and description for the alarm and click "Create Alarm."

Step 5: Test and Monitor

1.

Manually perform a NACL change event to verify that the log metric filter captures the event and triggers the alarm.

2.

Monitor the logs and notifications to ensure that the desired actions are executed correctly.

By following these steps, you can create a log metric filter and alarm for changes to NACLs and effectively monitor and respond to these modifications.

Ensure Log Metric Filter and Alarm for NACL Changes Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 1: Access the AWS Management Console

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 2: Navigate to CloudWatch Logs

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 3: Create a Log Metric Filter

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 4: Create an Alarm

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step 5: Test and Monitor

Is your System Free of Underlying Vulnerabilities? Find Out Now

Step 1: Access the AWS Management Console

Step 2: Navigate to CloudWatch Logs

Step 3: Create a Log Metric Filter

Step 4: Create an Alarm

Step 5: Test and Monitor

Is your System Free of Underlying Vulnerabilities?
Find Out Now