Rule: Ensure a log metric filter and alarm exist for changes to network gateways
This rule ensures the presence of a log metric filter and alarm for network gateway changes.
| Rule | Ensure a log metric filter and alarm exist for changes to network gateways |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule Description
This rule ensures that a log metric filter and alarm are created to detect any changes to network gateways according to the CIS Amazon Web Services Foundations v1.5.0 (cis_v150) benchmark.
Troubleshooting Steps
If the log metric filter and alarm are not present or not functioning correctly, follow these troubleshooting steps:
- 1.Check the CloudTrail log configuration: Ensure that CloudTrail is enabled and properly configured to capture the required API events related to network gateways.
- 2.Verify IAM permissions: Ensure that the IAM role associated with CloudTrail has sufficient permissions to create log metric filters and alarms.
- 3.Review log metric filter syntax: Double-check the syntax of the log metric filter to ensure it accurately captures the necessary events and fields related to network gateways.
- 4.Examine alarm configuration: Verify that the created alarm has the correct threshold settings and actions to trigger notifications or actions upon detecting changes to network gateways.
- 5.Check alarm state: If the alarm is not triggering, check its state to ensure it is enabled and active.
Code
Below is an example of the CloudFormation template code that can be used to create the log metric filter and alarm for changes to network gateways. Modify it according to your specific requirements.
Resources:
NetworkGatewayLogMetricFilter:
Type: AWS::Logs::MetricFilter
Properties:
LogGroupName: !Ref CloudTrailLogGroup
FilterPattern: "{($.eventName = CreateCustomerGateway) || ($.eventName = CreateVpnGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = DeleteVpnGateway)}"
MetricTransformations:
- MetricValue: "1"
MetricNamespace: "CIS/NetworkGatewayChanges"
MetricName: "NetworkGatewayChanges"
NetworkGatewayAlarm:
Type: AWS::CloudWatch::Alarm
Properties:
AlarmName: "NetworkGatewayChangesAlarm"
AlarmDescription: "Alarm triggered when network gateway changes are detected"
AlarmActions:
- !Ref SnsTopic
MetricName: "NetworkGatewayChanges"
Namespace: "CIS/NetworkGatewayChanges"
Statistic: "SampleCount"
Period: 300
EvaluationPeriods: 1
Threshold: 1
ComparisonOperator: "GreaterThanOrEqualToThreshold"
Remediation
Follow these steps to remediate the issue:
- 1.Open the AWS Management Console or use the AWS CLI with appropriate credentials.
- 2.Navigate to the AWS CloudFormation service.
- 3.Create a new CloudFormation stack or select an existing stack where you want to deploy the log metric filter and alarm.
- 4.Copy the provided code into a CloudFormation template file or use the AWS CloudFormation Designer to import the template.
- 5.Modify the template according to your specific needs, such as changing the log group name, alarm name, actions, or metric settings.
- 6.Deploy the CloudFormation stack and wait for the resources to be created.
- 7.Verify the log metric filter and alarm are functioning correctly by making changes to network gateways and checking if the alarm triggers as expected.
- 8.If required, integrate the alarm with any desired notification systems or automated actions.
By following these steps, you can ensure a log metric filter and alarm exist for changes to network gateways as outlined in the CIS Amazon Web Services Foundations v1.5.0 (cis_v150) benchmark.