Rule: Ensure a log metric filter and alarm exist for route table changes
This rule ensures the presence of log metric filter and alarm for route table changes.
| Rule | Ensure a log metric filter and alarm exist for route table changes |
| Framework | cis_v150 |
| Severity | ✔ Low |
Rule Description:
This rule ensures that a log metric filter and alarm exist to monitor and alert for any changes made to route tables within the cis_v150 environment.
Policy Detail:
To secure the network infrastructure and prevent unauthorized or accidental modifications to the route tables, it is essential to have a monitoring system in place that notifies the appropriate stakeholders whenever a change occurs. This rule specifically focuses on creating a log metric filter and alarm for route table changes in the cis_v150 environment.
Steps for Implementation:
To implement this rule, you need to follow these steps:
Step 1: Create a Log Metric Filter
- 1.Log in to the AWS Management Console.
- 2.Open the CloudWatch service.
- 3.In the navigation pane, click on "Log groups."
- 4.Locate the log group for the cis_v150 environment.
- 5.Click on the log group to open it.
- 6.Click on the "Create filter" button.
- 7.In the "Filter pattern" field, enter the following filter pattern: "eventName = ModifyRouteTable"
- 8.Choose the log stream(s) for which you want to create the filter, or select "All streams."
- 9.Click on the "Assign metric" button.
- 10.Provide a name for the metric, such as "RouteTableChangesMetric."
- 11.Configure the metric details (namespace, dimensions, etc.) as per your requirements.
- 12.Click on the "Create filter" button to save the log metric filter.
Step 2: Create an Alarm
- 1.In the CloudWatch service, click on "Alarms" in the navigation pane.
- 2.Click on the "Create alarm" button.
- 3.In the "Create Alarm" wizard, select the "Select metric" button.
- 4.Locate and select the metric created in Step 1 ("RouteTableChangesMetric").
- 5.Set the alarm conditions based on your desired criteria (e.g., threshold, comparison, period, etc.). For example, you can set the threshold to "1" to trigger an alarm whenever a route table change occurs.
- 6.Configure the actions that should be taken when the alarm state is triggered (e.g., sending an email notification, triggering an AWS Lambda function, etc.).
- 7.Provide a name and description for the alarm.
- 8.Click on the "Create alarm" button to save the alarm.
Troubleshooting Steps:
If you encounter any issues while implementing this rule, consider the following troubleshooting steps:
- 1.Ensure that you have the necessary permissions to create log metric filters and alarms within your AWS environment.
- 2.Verify that the log group for the cis_v150 environment exists and contains the required logs.
- 3.Double-check the filter pattern to ensure that it matches the event name for route table modifications accurately.
- 4.Check the metric configuration to ensure that the dimensions and other details are correctly set up.
- 5.Confirm that the alarm conditions are set appropriately and aligned with your monitoring requirements.
- 6.Ensure that the actions specified in the alarm configuration are correctly defined and properly triggered in case of an alarm state.
Additional Notes:
If you need to modify or delete the log metric filter or alarm, follow these steps:
To Modify a Log Metric Filter or Alarm:
- 1.Go to the AWS Management Console and access the CloudWatch service.
- 2.Locate and select the log metric filter or alarm you want to modify or delete.
- 3.Click on the "Actions" button and choose the appropriate option, such as "Edit," "Modify," or "Delete."
- 4.Follow the on-screen instructions to make the necessary changes or confirm the deletion.
Remember to regularly monitor the log metric filter and alarm for any route table changes in the cis_v150 environment. Also, ensure that the designated stakeholders receive and respond to any triggered alerts promptly.