This rule ensures the existence of a log metric filter and alarm for IAM policy changes.
Rule | Ensure a log metric filter and alarm exist for IAM policy changes |
Framework | cis_v150 |
Severity | ✔ Low |
Rule/Policy Description
The rule aims to ensure that a log metric filter and alarm are in place to monitor and alert on any changes made to IAM policies. This helps to improve the security and compliance posture of the cloud environment, as it allows for timely detection and investigation of unauthorized or suspicious activities related to IAM policy modifications.
Troubleshooting Steps
If there are any issues related to the log metric filter or alarm for IAM policy changes, follow these troubleshooting steps:
Verify permissions: Ensure that the user or role executing the commands or scripts has appropriate permissions to create log metric filters and alarms in the targeted AWS account.
Check log group subscription: Confirm that the log group used for storing logs related to IAM policy changes is properly configured and has adequate retention settings.
Review IAM policy: Validate that the IAM policy attached to the user or role permits the creation and modification of log metric filters and alarms.
Check CloudWatch Logs subscription filters: Ensure that any subscription filters associated with the log group are correctly configured and not blocking the expected logs.
Verify alarm configuration: Double-check the configuration of the alarm, including the condition, threshold, and actions to be triggered upon exceeding the threshold.
Review CloudTrail settings: Confirm that CloudTrail is enabled and properly configured to capture IAM policy change events. Also, ensure that the CloudTrail logs are consistently delivered to the targeted S3 bucket.
Review CloudTrail event history: Inspect the CloudTrail event history for any errors or gaps related to IAM policy changes.
Check CloudWatch Logs subscription filter pattern: Verify that the log metric filter has the correct pattern or query to match IAM policy change events.
Necessary Codes
There are no specific codes to provide for this rule, as it focuses on the configuration and setup of log metric filters and alarms rather than implementation scripts or coding.
Step-by-Step Guide for Remediation
Follow these steps to create a log metric filter and alarm for IAM policy changes:
Open the AWS Management Console and navigate to the CloudWatch service.
Select "Logs" from the left-hand menu.
Choose the log group that will store the logs related to IAM policy changes. If needed, create a new log group.
Click on "Create metric filter" from the "Actions" dropdown menu.
In the "Filter pattern" section, enter a filter pattern that matches IAM policy change events. For example:
{($.eventSource = "iam.amazonaws.com") && (($.eventName = "CreatePolicy") || ($.eventName = "DeletePolicy") || ($.eventName = "PutGroupPolicy") || ($.eventName = "DeleteGroupPolicy") || ($.eventName = "AttachGroupPolicy") || ($.eventName = "DetachGroupPolicy") || ($.eventName = "PutRolePolicy") || ($.eventName = "DeleteRolePolicy") || ($.eventName = "AttachRolePolicy") || ($.eventName = "DetachRolePolicy") || ($.eventName = "PutUserPolicy") || ($.eventName = "DeleteUserPolicy")))}
.Verify the filter pattern by reviewing the sample logs displayed beneath the filter pattern field. Adjust the pattern if necessary.
Select the log group from the "Log source" drop-down menu.
Choose "Create a new metric" and enter a name for the metric.
Click on "Create filter".
Once the filter is created, go to the "Alarms" section in CloudWatch.
Click on "Create alarm".
Choose the previously created metric filter from the "Select metric" section.
Define the desired condition and threshold for triggering the alarm. For example, you can set the threshold to ">= 1" to trigger the alarm whenever a single IAM policy change occurs.
Specify the actions to be taken when the alarm state is triggered, such as sending an SNS notification.
Click on "Create alarm" to complete the setup.
Upon completion of these steps, the log metric filter and alarm for IAM policy changes will be in place, enabling you to detect and respond to any modifications to IAM policies in your AWS environment.